From 06bc3205b77562c07f888878421a36f707553098 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Wed, 16 Apr 2025 21:00:47 +0200 Subject: [PATCH 001/265] add variable to network providers and add cilium per default --- .../configure_network_policies/rule.yml | 5 ++--- .../var_configure_network_policies_regex.var | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 applications/openshift/networking/var_configure_network_policies_regex.var diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml index e30efa56270b..d01c98935abb 100644 --- a/applications/openshift/networking/configure_network_policies/rule.yml +++ b/applications/openshift/networking/configure_network_policies/rule.yml @@ -50,6 +50,5 @@ template: yamlpath: "[:]" check_existence: "any_exist" entity_check: "all" - values: - - value: "OpenShiftSDN|OVN|Calico" - operation: "pattern match" + regex_data: "true" + xccdf_variable: var_configure_network_policies_regex diff --git a/applications/openshift/networking/var_configure_network_policies_regex.var b/applications/openshift/networking/var_configure_network_policies_regex.var new file mode 100644 index 000000000000..d899bd0c4527 --- /dev/null +++ b/applications/openshift/networking/var_configure_network_policies_regex.var @@ -0,0 +1,20 @@ +documentation_complete: true + +title: 'Network Provider which provide Support for Network Policies' + +description: |- + Regular expression explicitly describing + which CNI plugins provide the cluster with the + network policies feature/capability + You can chose to either allow multiple providers + by adding them like "Provider1|Provider2" or only + allow one, by overwriting the value + +type: string + +operator: equals + +interactive: true + +options: + default: "OpenShiftSDN|OVN|Calico|Cilium" From 60241ba6e1ba659641b6a8271df28c7fd2616461 Mon Sep 17 00:00:00 2001 From: cealcorn Date: Tue, 3 Feb 2026 19:12:44 -0800 Subject: [PATCH 002/265] add bascontrol22d --- CMakeLists.txt | 5 + build_product | 1 + products/bascontrol22d4/CMakeCache.txt | 374 ++++++++ .../CMakeFiles/3.26.3/CMakeCCompiler.cmake | 72 ++ .../3.26.3/CMakeDetermineCompilerABI_C.bin | Bin 0 -> 80488 bytes .../CMakeFiles/3.26.3/CMakeSystem.cmake | 15 + .../3.26.3/CompilerIdC/CMakeCCompilerId.c | 866 ++++++++++++++++++ .../CMakeFiles/3.26.3/CompilerIdC/a.out | Bin 0 -> 80632 bytes .../CompilerIdCXX/CMakeCXXCompilerId.cpp | 855 +++++++++++++++++ .../CMakeFiles/CMakeConfigureLog.yaml | 451 +++++++++ .../CMakeFiles/cmake.check_cache | 1 + products/bascontrol22d4/CMakeLists.txt | 6 + products/bascontrol22d4/product.yml | 17 + .../bascontrol22d4/profiles/standard.profile | 10 + .../oval/installed_app_is_bascontrol22d4.xml | 28 + ssg/constants.py | 13 +- 16 files changed, 2708 insertions(+), 6 deletions(-) create mode 100644 products/bascontrol22d4/CMakeCache.txt create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake create mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c create mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp create mode 100644 products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml create mode 100644 products/bascontrol22d4/CMakeFiles/cmake.check_cache create mode 100644 products/bascontrol22d4/CMakeLists.txt create mode 100644 products/bascontrol22d4/product.yml create mode 100644 products/bascontrol22d4/profiles/standard.profile create mode 100644 shared/applicability/oval/installed_app_is_bascontrol22d4.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index 48b206911bb3..7d48dcbe37a3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -89,6 +89,7 @@ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content w option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux OS 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_BASCONTROL22D4 "If enabled, the Contemporary Controls BAScontrol22D 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN13 "If enabled, the Debian 13 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -326,6 +327,7 @@ message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}") message(STATUS "AlmaLinux OS 9: ${SSG_PRODUCT_ALMALINUX9}") message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}") message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}") +message(STATUS "Contemporary Controls BAScontrol22D 4: ${SSG_PRODUCT_BASCONTROL22D4}") message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}") message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}") message(STATUS "Debian 13: ${SSG_PRODUCT_DEBIAN13}") @@ -397,6 +399,9 @@ endif() if(SSG_PRODUCT_ANOLIS23) add_subdirectory("products/anolis23" "anolis23") endif() +if(SSG_PRODUCT_BASCONTROL22D4) + add_subdirectory("products/bascontrol22d4" "bascontrol22d4") +endif() if(SSG_PRODUCT_DEBIAN11) add_subdirectory("products/debian11" "debian11") endif() diff --git a/build_product b/build_product index 76e3d3a69854..003e9a356d7f 100755 --- a/build_product +++ b/build_product @@ -333,6 +333,7 @@ all_cmake_products=( ALMALINUX9 ANOLIS23 ANOLIS8 + BASCONTROL22D4 DEBIAN11 DEBIAN12 DEBIAN13 diff --git a/products/bascontrol22d4/CMakeCache.txt b/products/bascontrol22d4/CMakeCache.txt new file mode 100644 index 000000000000..ee9244e33dc8 --- /dev/null +++ b/products/bascontrol22d4/CMakeCache.txt @@ -0,0 +1,374 @@ +# This is the CMakeCache file. +# For build in directory: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 +# It was generated by CMake: /usr/bin/cmake +# You can edit this file to change values found and used by cmake. +# If you do not want to change any of the values, simply exit the editor. +# If you do want to change a value, simply edit, save, and exit the editor. +# The syntax for the file is as follows: +# KEY:TYPE=VALUE +# KEY is the name of a variable in the cache. +# TYPE is a hint to GUIs for the type of VALUE, DO NOT EDIT TYPE!. +# VALUE is the current value for the KEY. + +######################## +# EXTERNAL cache entries +######################## + +//Path to a program. +CMAKE_ADDR2LINE:FILEPATH=/usr/bin/addr2line + +//Path to a program. +CMAKE_AR:FILEPATH=/usr/bin/ar + +//For backwards compatibility, what version of CMake commands and +// syntax should this version of CMake try to support. +CMAKE_BACKWARDS_COMPATIBILITY:STRING=2.4 + +//Choose the type of build, options are: None Debug Release RelWithDebInfo +// MinSizeRel ... +CMAKE_BUILD_TYPE:STRING= + +//Enable/Disable color output during build. +CMAKE_COLOR_MAKEFILE:BOOL=ON + +//CXX compiler +CMAKE_CXX_COMPILER:FILEPATH=CMAKE_CXX_COMPILER-NOTFOUND + +//Flags used by the CXX compiler during all build types. +CMAKE_CXX_FLAGS:STRING= + +//Flags used by the CXX compiler during DEBUG builds. +CMAKE_CXX_FLAGS_DEBUG:STRING= + +//Flags used by the CXX compiler during MINSIZEREL builds. +CMAKE_CXX_FLAGS_MINSIZEREL:STRING= + +//Flags used by the CXX compiler during RELEASE builds. +CMAKE_CXX_FLAGS_RELEASE:STRING= + +//Flags used by the CXX compiler during RELWITHDEBINFO builds. +CMAKE_CXX_FLAGS_RELWITHDEBINFO:STRING= + +//C compiler +CMAKE_C_COMPILER:FILEPATH=/usr/bin/cc + +//A wrapper around 'ar' adding the appropriate '--plugin' option +// for the GCC compiler +CMAKE_C_COMPILER_AR:FILEPATH=/usr/bin/gcc-ar + +//A wrapper around 'ranlib' adding the appropriate '--plugin' option +// for the GCC compiler +CMAKE_C_COMPILER_RANLIB:FILEPATH=/usr/bin/gcc-ranlib + +//Flags used by the C compiler during all build types. +CMAKE_C_FLAGS:STRING= + +//Flags used by the C compiler during DEBUG builds. +CMAKE_C_FLAGS_DEBUG:STRING=-g + +//Flags used by the C compiler during MINSIZEREL builds. +CMAKE_C_FLAGS_MINSIZEREL:STRING=-Os -DNDEBUG + +//Flags used by the C compiler during RELEASE builds. +CMAKE_C_FLAGS_RELEASE:STRING=-O3 -DNDEBUG + +//Flags used by the C compiler during RELWITHDEBINFO builds. +CMAKE_C_FLAGS_RELWITHDEBINFO:STRING=-O2 -g -DNDEBUG + +//Path to a program. +CMAKE_DLLTOOL:FILEPATH=CMAKE_DLLTOOL-NOTFOUND + +//Flags used by the linker during all build types. +CMAKE_EXE_LINKER_FLAGS:STRING= + +//Flags used by the linker during DEBUG builds. +CMAKE_EXE_LINKER_FLAGS_DEBUG:STRING= + +//Flags used by the linker during MINSIZEREL builds. +CMAKE_EXE_LINKER_FLAGS_MINSIZEREL:STRING= + +//Flags used by the linker during RELEASE builds. +CMAKE_EXE_LINKER_FLAGS_RELEASE:STRING= + +//Flags used by the linker during RELWITHDEBINFO builds. +CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO:STRING= + +//Enable/Disable output of compile commands during generation. +CMAKE_EXPORT_COMPILE_COMMANDS:BOOL= + +//Value Computed by CMake. +CMAKE_FIND_PACKAGE_REDIRECTS_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/pkgRedirects + +//Install path prefix, prepended onto install directories. +CMAKE_INSTALL_PREFIX:PATH=/usr/local + +//Path to a program. +CMAKE_LINKER:FILEPATH=/usr/bin/ld + +//Path to a program. +CMAKE_MAKE_PROGRAM:FILEPATH=/usr/bin/gmake + +//Flags used by the linker during the creation of modules during +// all build types. +CMAKE_MODULE_LINKER_FLAGS:STRING= + +//Flags used by the linker during the creation of modules during +// DEBUG builds. +CMAKE_MODULE_LINKER_FLAGS_DEBUG:STRING= + +//Flags used by the linker during the creation of modules during +// MINSIZEREL builds. +CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL:STRING= + +//Flags used by the linker during the creation of modules during +// RELEASE builds. +CMAKE_MODULE_LINKER_FLAGS_RELEASE:STRING= + +//Flags used by the linker during the creation of modules during +// RELWITHDEBINFO builds. +CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO:STRING= + +//Path to a program. +CMAKE_NM:FILEPATH=/usr/bin/nm + +//Path to a program. +CMAKE_OBJCOPY:FILEPATH=/usr/bin/objcopy + +//Path to a program. +CMAKE_OBJDUMP:FILEPATH=/usr/bin/objdump + +//Value Computed by CMake +CMAKE_PROJECT_DESCRIPTION:STATIC= + +//Value Computed by CMake +CMAKE_PROJECT_HOMEPAGE_URL:STATIC= + +//Value Computed by CMake +CMAKE_PROJECT_NAME:STATIC=Project + +//Path to a program. +CMAKE_RANLIB:FILEPATH=/usr/bin/ranlib + +//Path to a program. +CMAKE_READELF:FILEPATH=/usr/bin/readelf + +//Flags used by the linker during the creation of shared libraries +// during all build types. +CMAKE_SHARED_LINKER_FLAGS:STRING= + +//Flags used by the linker during the creation of shared libraries +// during DEBUG builds. +CMAKE_SHARED_LINKER_FLAGS_DEBUG:STRING= + +//Flags used by the linker during the creation of shared libraries +// during MINSIZEREL builds. +CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL:STRING= + +//Flags used by the linker during the creation of shared libraries +// during RELEASE builds. +CMAKE_SHARED_LINKER_FLAGS_RELEASE:STRING= + +//Flags used by the linker during the creation of shared libraries +// during RELWITHDEBINFO builds. +CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO:STRING= + +//If set, runtime paths are not added when installing shared libraries, +// but are added when building. +CMAKE_SKIP_INSTALL_RPATH:BOOL=NO + +//If set, runtime paths are not added when using shared libraries. +CMAKE_SKIP_RPATH:BOOL=NO + +//Flags used by the linker during the creation of static libraries +// during all build types. +CMAKE_STATIC_LINKER_FLAGS:STRING= + +//Flags used by the linker during the creation of static libraries +// during DEBUG builds. +CMAKE_STATIC_LINKER_FLAGS_DEBUG:STRING= + +//Flags used by the linker during the creation of static libraries +// during MINSIZEREL builds. +CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL:STRING= + +//Flags used by the linker during the creation of static libraries +// during RELEASE builds. +CMAKE_STATIC_LINKER_FLAGS_RELEASE:STRING= + +//Flags used by the linker during the creation of static libraries +// during RELWITHDEBINFO builds. +CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO:STRING= + +//Path to a program. +CMAKE_STRIP:FILEPATH=/usr/bin/strip + +//If this value is on, makefiles will be generated without the +// .SILENT directive, and all commands will be echoed to the console +// during the make. This is useful for debugging only. With Visual +// Studio IDE projects all commands are done without /nologo. +CMAKE_VERBOSE_MAKEFILE:BOOL=FALSE + +//Single output directory for building all executables. +EXECUTABLE_OUTPUT_PATH:PATH= + +//Single output directory for building all libraries. +LIBRARY_OUTPUT_PATH:PATH= + +//Value Computed by CMake +Project_BINARY_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 + +//Value Computed by CMake +Project_IS_TOP_LEVEL:STATIC=ON + +//Value Computed by CMake +Project_SOURCE_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 + + +######################## +# INTERNAL cache entries +######################## + +//ADVANCED property for variable: CMAKE_ADDR2LINE +CMAKE_ADDR2LINE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_AR +CMAKE_AR-ADVANCED:INTERNAL=1 +//This is the directory where this CMakeCache.txt was created +CMAKE_CACHEFILE_DIR:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 +//Major version of cmake used to create the current loaded cache +CMAKE_CACHE_MAJOR_VERSION:INTERNAL=3 +//Minor version of cmake used to create the current loaded cache +CMAKE_CACHE_MINOR_VERSION:INTERNAL=26 +//Patch version of cmake used to create the current loaded cache +CMAKE_CACHE_PATCH_VERSION:INTERNAL=3 +//ADVANCED property for variable: CMAKE_COLOR_MAKEFILE +CMAKE_COLOR_MAKEFILE-ADVANCED:INTERNAL=1 +//Path to CMake executable. +CMAKE_COMMAND:INTERNAL=/usr/bin/cmake +//Path to cpack program executable. +CMAKE_CPACK_COMMAND:INTERNAL=/usr/bin/cpack +//Path to ctest program executable. +CMAKE_CTEST_COMMAND:INTERNAL=/usr/bin/ctest +//ADVANCED property for variable: CMAKE_CXX_COMPILER +CMAKE_CXX_COMPILER-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_CXX_FLAGS +CMAKE_CXX_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_CXX_FLAGS_DEBUG +CMAKE_CXX_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_CXX_FLAGS_MINSIZEREL +CMAKE_CXX_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELEASE +CMAKE_CXX_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELWITHDEBINFO +CMAKE_CXX_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_COMPILER +CMAKE_C_COMPILER-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_COMPILER_AR +CMAKE_C_COMPILER_AR-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_COMPILER_RANLIB +CMAKE_C_COMPILER_RANLIB-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_FLAGS +CMAKE_C_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_FLAGS_DEBUG +CMAKE_C_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_FLAGS_MINSIZEREL +CMAKE_C_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_FLAGS_RELEASE +CMAKE_C_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_C_FLAGS_RELWITHDEBINFO +CMAKE_C_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_DLLTOOL +CMAKE_DLLTOOL-ADVANCED:INTERNAL=1 +//Path to cache edit program executable. +CMAKE_EDIT_COMMAND:INTERNAL=/usr/bin/ccmake +//Executable file format +CMAKE_EXECUTABLE_FORMAT:INTERNAL=ELF +//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS +CMAKE_EXE_LINKER_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_DEBUG +CMAKE_EXE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_MINSIZEREL +CMAKE_EXE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELEASE +CMAKE_EXE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO +CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_EXPORT_COMPILE_COMMANDS +CMAKE_EXPORT_COMPILE_COMMANDS-ADVANCED:INTERNAL=1 +//Name of external makefile project generator. +CMAKE_EXTRA_GENERATOR:INTERNAL= +//Name of generator. +CMAKE_GENERATOR:INTERNAL=Unix Makefiles +//Generator instance identifier. +CMAKE_GENERATOR_INSTANCE:INTERNAL= +//Name of generator platform. +CMAKE_GENERATOR_PLATFORM:INTERNAL= +//Name of generator toolset. +CMAKE_GENERATOR_TOOLSET:INTERNAL= +//Source directory with the top level CMakeLists.txt file for this +// project +CMAKE_HOME_DIRECTORY:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 +//Install .so files without execute permission. +CMAKE_INSTALL_SO_NO_EXE:INTERNAL=0 +//ADVANCED property for variable: CMAKE_LINKER +CMAKE_LINKER-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MAKE_PROGRAM +CMAKE_MAKE_PROGRAM-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS +CMAKE_MODULE_LINKER_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_DEBUG +CMAKE_MODULE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL +CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELEASE +CMAKE_MODULE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO +CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_NM +CMAKE_NM-ADVANCED:INTERNAL=1 +//number of local generators +CMAKE_NUMBER_OF_MAKEFILES:INTERNAL=1 +//ADVANCED property for variable: CMAKE_OBJCOPY +CMAKE_OBJCOPY-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_OBJDUMP +CMAKE_OBJDUMP-ADVANCED:INTERNAL=1 +//Platform information initialized +CMAKE_PLATFORM_INFO_INITIALIZED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_RANLIB +CMAKE_RANLIB-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_READELF +CMAKE_READELF-ADVANCED:INTERNAL=1 +//Path to CMake installation. +CMAKE_ROOT:INTERNAL=/usr/share/cmake +//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS +CMAKE_SHARED_LINKER_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_DEBUG +CMAKE_SHARED_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL +CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELEASE +CMAKE_SHARED_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO +CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SKIP_INSTALL_RPATH +CMAKE_SKIP_INSTALL_RPATH-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_SKIP_RPATH +CMAKE_SKIP_RPATH-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS +CMAKE_STATIC_LINKER_FLAGS-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_DEBUG +CMAKE_STATIC_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL +CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELEASE +CMAKE_STATIC_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO +CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 +//ADVANCED property for variable: CMAKE_STRIP +CMAKE_STRIP-ADVANCED:INTERNAL=1 +//uname command +CMAKE_UNAME:INTERNAL=/usr/bin/uname +//ADVANCED property for variable: CMAKE_VERBOSE_MAKEFILE +CMAKE_VERBOSE_MAKEFILE-ADVANCED:INTERNAL=1 +//linker supports push/pop state +_CMAKE_LINKER_PUSHPOP_STATE_SUPPORTED:INTERNAL=TRUE + diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake new file mode 100644 index 000000000000..9db2d954e33a --- /dev/null +++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake @@ -0,0 +1,72 @@ +set(CMAKE_C_COMPILER "/usr/bin/cc") +set(CMAKE_C_COMPILER_ARG1 "") +set(CMAKE_C_COMPILER_ID "GNU") +set(CMAKE_C_COMPILER_VERSION "12.1.1") +set(CMAKE_C_COMPILER_VERSION_INTERNAL "") +set(CMAKE_C_COMPILER_WRAPPER "") +set(CMAKE_C_STANDARD_COMPUTED_DEFAULT "17") +set(CMAKE_C_EXTENSIONS_COMPUTED_DEFAULT "ON") +set(CMAKE_C_COMPILE_FEATURES "c_std_90;c_function_prototypes;c_std_99;c_restrict;c_variadic_macros;c_std_11;c_static_assert;c_std_17;c_std_23") +set(CMAKE_C90_COMPILE_FEATURES "c_std_90;c_function_prototypes") +set(CMAKE_C99_COMPILE_FEATURES "c_std_99;c_restrict;c_variadic_macros") +set(CMAKE_C11_COMPILE_FEATURES "c_std_11;c_static_assert") +set(CMAKE_C17_COMPILE_FEATURES "c_std_17") +set(CMAKE_C23_COMPILE_FEATURES "c_std_23") + +set(CMAKE_C_PLATFORM_ID "Linux") +set(CMAKE_C_SIMULATE_ID "") +set(CMAKE_C_COMPILER_FRONTEND_VARIANT "GNU") +set(CMAKE_C_SIMULATE_VERSION "") + + + + +set(CMAKE_AR "/usr/bin/ar") +set(CMAKE_C_COMPILER_AR "/usr/bin/gcc-ar") +set(CMAKE_RANLIB "/usr/bin/ranlib") +set(CMAKE_C_COMPILER_RANLIB "/usr/bin/gcc-ranlib") +set(CMAKE_LINKER "/usr/bin/ld") +set(CMAKE_MT "") +set(CMAKE_COMPILER_IS_GNUCC 1) +set(CMAKE_C_COMPILER_LOADED 1) +set(CMAKE_C_COMPILER_WORKS TRUE) +set(CMAKE_C_ABI_COMPILED TRUE) + +set(CMAKE_C_COMPILER_ENV_VAR "CC") + +set(CMAKE_C_COMPILER_ID_RUN 1) +set(CMAKE_C_SOURCE_FILE_EXTENSIONS c;m) +set(CMAKE_C_IGNORE_EXTENSIONS h;H;o;O;obj;OBJ;def;DEF;rc;RC) +set(CMAKE_C_LINKER_PREFERENCE 10) + +# Save compiler ABI information. +set(CMAKE_C_SIZEOF_DATA_PTR "8") +set(CMAKE_C_COMPILER_ABI "ELF") +set(CMAKE_C_BYTE_ORDER "LITTLE_ENDIAN") +set(CMAKE_C_LIBRARY_ARCHITECTURE "") + +if(CMAKE_C_SIZEOF_DATA_PTR) + set(CMAKE_SIZEOF_VOID_P "${CMAKE_C_SIZEOF_DATA_PTR}") +endif() + +if(CMAKE_C_COMPILER_ABI) + set(CMAKE_INTERNAL_PLATFORM_ABI "${CMAKE_C_COMPILER_ABI}") +endif() + +if(CMAKE_C_LIBRARY_ARCHITECTURE) + set(CMAKE_LIBRARY_ARCHITECTURE "") +endif() + +set(CMAKE_C_CL_SHOWINCLUDES_PREFIX "") +if(CMAKE_C_CL_SHOWINCLUDES_PREFIX) + set(CMAKE_CL_SHOWINCLUDES_PREFIX "${CMAKE_C_CL_SHOWINCLUDES_PREFIX}") +endif() + + + + + +set(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include") +set(CMAKE_C_IMPLICIT_LINK_LIBRARIES "gcc;gcc_s;c;gcc;gcc_s") +set(CMAKE_C_IMPLICIT_LINK_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib") +set(CMAKE_C_IMPLICIT_LINK_FRAMEWORK_DIRECTORIES "") diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin new file mode 100755 index 0000000000000000000000000000000000000000..df1625832f344f4ea52f49e2bf1d3d149e4684b9 GIT binary patch literal 80488 zcmeI3eQX@Zb->@onyJI-B@l$TS^Js$ge$4C6We-syv`d04%w6lJ&aI6^1Uk zGPBh!vIKWD>Ob{$an-F~TurMC%hT0kea*>HzHf^vqBK;7Wt89Vp&#}0&89|ecuuz$#id#IpC!-3y9)X2 zy9&7zg?w>x>V##LhsW+bovM^lZSJ`DV0@b6-of`l?CpD(zjkWt9V1U)`N72H`@iy& zueOcQ7^x2wk8CKBeS^xmc^VHjPrA9r83U4ceqwW7U3zo9VNe}SwHn7?pI+?fe(~oY z+S2*b*I)hPk8D44Y1=nnzW>0p?|t>!$?T8*?Z$`CAH4Y3(;s;#bN7>1o9nMW@QX{+ z=o*@+Kf6O}j-oCZqW@@w{ub1S#rbN4{RrwCp&8rgz}$NJAZ8n39~=zmKdkl50sUpA zuZ>edeG=mY?d=HrPousGcES8+19R@2l6)Aq-LL~E#h@bGt^Nai2_^ME*w3A)C;Mg{ zhx$k99^At0&!V2%UC{Qok};+~#Vw2vm?o~oVYA{`Wyc)1@SVC zaokg4xQEdHs6Vocq2+BTdH=pN_gUOk67YSkyQ0c*c$thb&99}EjNuNccXd_1;nCB6 z$!Wo(_aBGdbsNVxF*ZiIS+7shd*d{E^mHuXbkEVmi>r@*>r1N%m^%*e0bjnEFjihU3UjYx``Fwp%paUfU|k(|L?Yekl?AGT=DW z7z6f40KWUS-#+%k^!7jesR$~Rv1rS@EY-&Fj5wGCEo!FU(S z#(QP}-u+|jdlF{OT`0qQeznb5S$*_7RkqBJ#`7=O|Fw_74;FU8^EVT)vUV7r2V@bO zIXbtnYv%dn*oAh~A6qzVpgy*3LD$2=(Yc#g4^!4uX#Itj4eMhIEs^o5E$q`AG4igF z;QFBT?@j%KJws=|d;w96$s_h7ld!|WaG?(Z5*gQ{14*=ff% zOJzKEJUGyw$qaOx-Gg2I=|Qwm^;S0jAYMO_L+n7}ce_y1x$5fb+S>b3E~A`4+5E=Z z+7l@IP}1@536#&FypHk)%6XKyrd4XxGWN(hsGB+zJFxw*+LxPApTT(Qc$;oGMCaE# zaGOCLUvrQv`BOihKz%DIFp=&&Zl7m=%(viHz-=CNxRwFZC(=8UpR4X9zU1qLJy8H!QuigL8#Iol8KW*SSJ>Hn zXOi#e9em$AlWiwcZK<~8$<~u6Ti@M!SMnX_>|C548gwUIAiJh|A z0Q7phTgxz;K3(_z4QzN_KI566U|YOaujw@#*472xM)L+X9EW9C9Ij&-X2X4bc7r~1 zU%#jOL+ji(u8FqRyY57#?l;RMs#J1W*Ow=Y#e8uzIXXNXoGeIcQ#~*BRD6X?q(+~-vy|J&&wC3iluWve(m z<{8VGoIPSq7928>IhHw={aE&6IabTD8n2V&d`u@rO6uGx=VQ6%l4~w~y(`z%?vX*R ztJSel?w#b`N$#EG-bwDA|L?O*e%{YA>A#MX=hf-A{_|>{Tb44%HSZDL z^6w-J{oaY+(a9XYb?2Dgm(jb$n0qf7`i?6&-~7(Y^*I*${!PaVUF+CfWJ=&ej`p}w zQ=fo1WJ2``m?ZEHf{d%O&?|nTL3D^nz-r1vu1iopV*YA=2`bOy6Vt7?5pMWNq4b|@k z{?5bel)$&O{C$UCzX!s;KS;o>a9w|o;kVxl{GEnhzYm(B!>dyH1Zoe4>Z@<7eLe}; z56OT%E_tYfU#j=UUSsw0m)`6KIMZ_mdgFUKpm)C;X@buOxT)`7;yZxPh1`Z~zaREA z`^S|cgAn^3tq=Bx_6Z z9DcpoALnxs_Fs$8bDU>(`s2J1VgK(DdX6)&#~&vVN2rnWQhWS4sO^o={b)b@(*b|{ z)7qY|H`FBJzk4@qcR$=w?~hZ6u>Vwqp2vG*t3S?PM%cd)q31Y{H~QoJM}+-e`XD8e z=YDA2>yL9P!ak$*LC%kAeUK*~_k#9r|C``y;Q00o#@Xoj8I1oIXdlPpC+qje)R^Y@)@6pmAS9&bha7}V-{-sc1J?&@pL zze5-&Y&|fCg#d?P)$T4>*7`%bqaW4!X5DU5>o044yVmd2dS18u{hn59ZcWg>)nJv9 zf4*Tqo8aDn{a>keYxNW?Y`ot<`*_Ip*mrdQgX`h@%6z{;HS#I_Bv__^>o!9 zynaj6(>(5j;C0R}rLVp2`W@8A@yoN|^{3l@?e*tzwBJol2T~vElK~wSpHlkT>$e>0 z8$IisUCXF%!s}IDC;UC{C$)WWTpv^VeKpsCpNO#kthNtcPyQL|liUf9{0i#B#`|}u zr+)HvwVDp}doLc(X7zV`0G_KP~~4iewzRI4qx81I+FQX_k+Ou%?%;WAkY!wRT z!?tzN94V5nNV>9NrjJPq#m%(=<&@o9ANluTMNKGV*#)~gxJAD2tMI8rjR(}0bXNPGX%Z@rq8tTcFc`|kCG?@LFv*!9VU__dPjFqKMnb}H3 z`TEBQz4(ukRxaLQoXIm@xM6^@feW|GQv!NTZxsaW;5vZb<9ZMy9)Y?zFCI>fq? zqLZ@6^vWB{p)Z$Q4|fT=9-PO()_5LIS)+6w!hb2%fEx_SKnnMSaa`bTztqrDmgAK3 z*+~cYp8uspzjun^Mz?X4+T#WZlu7{q9?C7bwwxz<6gT>f5&QG=&5TyGkdY_xbq1@{ zPe8E1{`{O{N-L6VsAbT<3-$krze!^Mr{adPd`c@WsM7lTM7}Q7Y8b@KHr&{MIc{JH z@cF6|aGl^_qTgFkmi?PaiRt%o!&{iDKmYFQn(pXpWaLRYTvbEQx$wsp)&BEy+ArYs z5T&=f0(7z34)^yW*3)mcxXjOU=e0wt_7C=7tAU=UQCHa?HW_XeIbiB@MYa9l_#el5 z^6$`g{Cv1C#Gjti2mSvDb;LxQSFht|wSs?dr^BnZI8XB9xOx5gdGmAH|6Z>#=GAYI zJh~?X{?K5!wfcv1R{|5JYh4@s|1@si_WAks6+KX1C+tA1yy+P%kU#V1>+yN*|B%-h z^UROcU&M^ppYNyo^bh;G*ig%0`+pPg=jZ0L+W+qZ{=xRIVLjc$(mp_mpRX^jy5*of zmsx%f&FFVj?9b2Pm)@lR4fLg{W`BNOzpVY|_5AVr;&yo*+(ch8VSj$Ee_cOOPhy=n zu|Lb#vC`|$&;J*-Kkt7WgZ)_kBH+*WbNl99SloZU-#Yjv{r^kH z4EB@#Q`MH-47blRff?FWX0#pOHxB6b_vi;Ac;~26aQ#snUi;cai3^9^7RIzA9S8mZ pH|ECs6)jU9yK>b3t{>Mu>24 & 0x00FF) +# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF) +# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__ & 0xFFFF) + +#elif defined(__BORLANDC__) +# define COMPILER_ID "Borland" + /* __BORLANDC__ = 0xVRR */ +# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8) +# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF) + +#elif defined(__WATCOMC__) && __WATCOMC__ < 1200 +# define COMPILER_ID "Watcom" + /* __WATCOMC__ = VVRR */ +# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100) +# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) +# if (__WATCOMC__ % 10) > 0 +# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) +# endif + +#elif defined(__WATCOMC__) +# define COMPILER_ID "OpenWatcom" + /* __WATCOMC__ = VVRP + 1100 */ +# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100) +# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) +# if (__WATCOMC__ % 10) > 0 +# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) +# endif + +#elif defined(__SUNPRO_C) +# define COMPILER_ID "SunPro" +# if __SUNPRO_C >= 0x5100 + /* __SUNPRO_C = 0xVRRP */ +# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>12) +# define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xFF) +# define COMPILER_VERSION_PATCH HEX(__SUNPRO_C & 0xF) +# else + /* __SUNPRO_CC = 0xVRP */ +# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>8) +# define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xF) +# define COMPILER_VERSION_PATCH HEX(__SUNPRO_C & 0xF) +# endif + +#elif defined(__HP_cc) +# define COMPILER_ID "HP" + /* __HP_cc = VVRRPP */ +# define COMPILER_VERSION_MAJOR DEC(__HP_cc/10000) +# define COMPILER_VERSION_MINOR DEC(__HP_cc/100 % 100) +# define COMPILER_VERSION_PATCH DEC(__HP_cc % 100) + +#elif defined(__DECC) +# define COMPILER_ID "Compaq" + /* __DECC_VER = VVRRTPPPP */ +# define COMPILER_VERSION_MAJOR DEC(__DECC_VER/10000000) +# define COMPILER_VERSION_MINOR DEC(__DECC_VER/100000 % 100) +# define COMPILER_VERSION_PATCH DEC(__DECC_VER % 10000) + +#elif defined(__IBMC__) && defined(__COMPILER_VER__) +# define COMPILER_ID "zOS" + /* __IBMC__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) + +#elif defined(__open_xl__) && defined(__clang__) +# define COMPILER_ID "IBMClang" +# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__) +# define COMPILER_VERSION_MINOR DEC(__open_xl_release__) +# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__) +# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__) + + +#elif defined(__ibmxl__) && defined(__clang__) +# define COMPILER_ID "XLClang" +# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__) +# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__) +# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__) +# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__) + + +#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ >= 800 +# define COMPILER_ID "XL" + /* __IBMC__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) + +#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ < 800 +# define COMPILER_ID "VisualAge" + /* __IBMC__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) + +#elif defined(__NVCOMPILER) +# define COMPILER_ID "NVHPC" +# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__) +# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__) +# if defined(__NVCOMPILER_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__) +# endif + +#elif defined(__PGI) +# define COMPILER_ID "PGI" +# define COMPILER_VERSION_MAJOR DEC(__PGIC__) +# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__) +# if defined(__PGIC_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__) +# endif + +#elif defined(_CRAYC) +# define COMPILER_ID "Cray" +# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR) +# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR) + +#elif defined(__TI_COMPILER_VERSION__) +# define COMPILER_ID "TI" + /* __TI_COMPILER_VERSION__ = VVVRRRPPP */ +# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000) +# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000 % 1000) +# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__ % 1000) + +#elif defined(__CLANG_FUJITSU) +# define COMPILER_ID "FujitsuClang" +# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) +# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) +# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) +# define COMPILER_VERSION_INTERNAL_STR __clang_version__ + + +#elif defined(__FUJITSU) +# define COMPILER_ID "Fujitsu" +# if defined(__FCC_version__) +# define COMPILER_VERSION __FCC_version__ +# elif defined(__FCC_major__) +# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) +# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) +# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) +# endif +# if defined(__fcc_version) +# define COMPILER_VERSION_INTERNAL DEC(__fcc_version) +# elif defined(__FCC_VERSION) +# define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION) +# endif + + +#elif defined(__ghs__) +# define COMPILER_ID "GHS" +/* __GHS_VERSION_NUMBER = VVVVRP */ +# ifdef __GHS_VERSION_NUMBER +# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100) +# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10) +# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER % 10) +# endif + +#elif defined(__TASKING__) +# define COMPILER_ID "Tasking" + # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000) + # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100) +# define COMPILER_VERSION_INTERNAL DEC(__VERSION__) + +#elif defined(__TINYC__) +# define COMPILER_ID "TinyCC" + +#elif defined(__BCC__) +# define COMPILER_ID "Bruce" + +#elif defined(__SCO_VERSION__) +# define COMPILER_ID "SCO" + +#elif defined(__ARMCC_VERSION) && !defined(__clang__) +# define COMPILER_ID "ARMCC" +#if __ARMCC_VERSION >= 1000000 + /* __ARMCC_VERSION = VRRPPPP */ + # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000) + # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100) + # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) +#else + /* __ARMCC_VERSION = VRPPPP */ + # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000) + # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10) + # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) +#endif + + +#elif defined(__clang__) && defined(__apple_build_version__) +# define COMPILER_ID "AppleClang" +# if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +# endif +# define COMPILER_VERSION_MAJOR DEC(__clang_major__) +# define COMPILER_VERSION_MINOR DEC(__clang_minor__) +# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) +# if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +# endif +# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__) + +#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION) +# define COMPILER_ID "ARMClang" + # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000) + # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100) + # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION % 10000) +# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION) + +#elif defined(__clang__) +# define COMPILER_ID "Clang" +# if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +# endif +# define COMPILER_VERSION_MAJOR DEC(__clang_major__) +# define COMPILER_VERSION_MINOR DEC(__clang_minor__) +# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) +# if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +# endif + +#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__)) +# define COMPILER_ID "LCC" +# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100) +# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100) +# if defined(__LCC_MINOR__) +# define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__) +# endif +# if defined(__GNUC__) && defined(__GNUC_MINOR__) +# define SIMULATE_ID "GNU" +# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) +# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) +# if defined(__GNUC_PATCHLEVEL__) +# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +# endif +# endif + +#elif defined(__GNUC__) +# define COMPILER_ID "GNU" +# define COMPILER_VERSION_MAJOR DEC(__GNUC__) +# if defined(__GNUC_MINOR__) +# define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__) +# endif +# if defined(__GNUC_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +# endif + +#elif defined(_MSC_VER) +# define COMPILER_ID "MSVC" + /* _MSC_VER = VVRR */ +# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100) +# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100) +# if defined(_MSC_FULL_VER) +# if _MSC_VER >= 1400 + /* _MSC_FULL_VER = VVRRPPPPP */ +# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000) +# else + /* _MSC_FULL_VER = VVRRPPPP */ +# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000) +# endif +# endif +# if defined(_MSC_BUILD) +# define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD) +# endif + +#elif defined(_ADI_COMPILER) +# define COMPILER_ID "ADSP" +#if defined(__VERSIONNUM__) + /* __VERSIONNUM__ = 0xVVRRPPTT */ +# define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF) +# define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF) +# define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF) +# define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF) +#endif + +#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) +# define COMPILER_ID "IAR" +# if defined(__VER__) && defined(__ICCARM__) +# define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000) +# define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000) +# define COMPILER_VERSION_PATCH DEC((__VER__) % 1000) +# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) +# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__)) +# define COMPILER_VERSION_MAJOR DEC((__VER__) / 100) +# define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100)) +# define COMPILER_VERSION_PATCH DEC(__SUBVERSION__) +# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) +# endif + +#elif defined(__SDCC_VERSION_MAJOR) || defined(SDCC) +# define COMPILER_ID "SDCC" +# if defined(__SDCC_VERSION_MAJOR) +# define COMPILER_VERSION_MAJOR DEC(__SDCC_VERSION_MAJOR) +# define COMPILER_VERSION_MINOR DEC(__SDCC_VERSION_MINOR) +# define COMPILER_VERSION_PATCH DEC(__SDCC_VERSION_PATCH) +# else + /* SDCC = VRP */ +# define COMPILER_VERSION_MAJOR DEC(SDCC/100) +# define COMPILER_VERSION_MINOR DEC(SDCC/10 % 10) +# define COMPILER_VERSION_PATCH DEC(SDCC % 10) +# endif + + +/* These compilers are either not known or too old to define an + identification macro. Try to identify the platform and guess that + it is the native compiler. */ +#elif defined(__hpux) || defined(__hpua) +# define COMPILER_ID "HP" + +#else /* unknown compiler */ +# define COMPILER_ID "" +#endif + +/* Construct the string literal in pieces to prevent the source from + getting matched. Store it in a pointer rather than an array + because some compilers will just produce instructions to fill the + array rather than assigning a pointer to a static array. */ +char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]"; +#ifdef SIMULATE_ID +char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]"; +#endif + +#ifdef __QNXNTO__ +char const* qnxnto = "INFO" ":" "qnxnto[]"; +#endif + +#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) +char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]"; +#endif + +#define STRINGIFY_HELPER(X) #X +#define STRINGIFY(X) STRINGIFY_HELPER(X) + +/* Identify known platforms by name. */ +#if defined(__linux) || defined(__linux__) || defined(linux) +# define PLATFORM_ID "Linux" + +#elif defined(__MSYS__) +# define PLATFORM_ID "MSYS" + +#elif defined(__CYGWIN__) +# define PLATFORM_ID "Cygwin" + +#elif defined(__MINGW32__) +# define PLATFORM_ID "MinGW" + +#elif defined(__APPLE__) +# define PLATFORM_ID "Darwin" + +#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) +# define PLATFORM_ID "Windows" + +#elif defined(__FreeBSD__) || defined(__FreeBSD) +# define PLATFORM_ID "FreeBSD" + +#elif defined(__NetBSD__) || defined(__NetBSD) +# define PLATFORM_ID "NetBSD" + +#elif defined(__OpenBSD__) || defined(__OPENBSD) +# define PLATFORM_ID "OpenBSD" + +#elif defined(__sun) || defined(sun) +# define PLATFORM_ID "SunOS" + +#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__) +# define PLATFORM_ID "AIX" + +#elif defined(__hpux) || defined(__hpux__) +# define PLATFORM_ID "HP-UX" + +#elif defined(__HAIKU__) +# define PLATFORM_ID "Haiku" + +#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS) +# define PLATFORM_ID "BeOS" + +#elif defined(__QNX__) || defined(__QNXNTO__) +# define PLATFORM_ID "QNX" + +#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__) +# define PLATFORM_ID "Tru64" + +#elif defined(__riscos) || defined(__riscos__) +# define PLATFORM_ID "RISCos" + +#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__) +# define PLATFORM_ID "SINIX" + +#elif defined(__UNIX_SV__) +# define PLATFORM_ID "UNIX_SV" + +#elif defined(__bsdos__) +# define PLATFORM_ID "BSDOS" + +#elif defined(_MPRAS) || defined(MPRAS) +# define PLATFORM_ID "MP-RAS" + +#elif defined(__osf) || defined(__osf__) +# define PLATFORM_ID "OSF1" + +#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv) +# define PLATFORM_ID "SCO_SV" + +#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX) +# define PLATFORM_ID "ULTRIX" + +#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX) +# define PLATFORM_ID "Xenix" + +#elif defined(__WATCOMC__) +# if defined(__LINUX__) +# define PLATFORM_ID "Linux" + +# elif defined(__DOS__) +# define PLATFORM_ID "DOS" + +# elif defined(__OS2__) +# define PLATFORM_ID "OS2" + +# elif defined(__WINDOWS__) +# define PLATFORM_ID "Windows3x" + +# elif defined(__VXWORKS__) +# define PLATFORM_ID "VxWorks" + +# else /* unknown platform */ +# define PLATFORM_ID +# endif + +#elif defined(__INTEGRITY) +# if defined(INT_178B) +# define PLATFORM_ID "Integrity178" + +# else /* regular Integrity */ +# define PLATFORM_ID "Integrity" +# endif + +# elif defined(_ADI_COMPILER) +# define PLATFORM_ID "ADSP" + +#else /* unknown platform */ +# define PLATFORM_ID + +#endif + +/* For windows compilers MSVC and Intel we can determine + the architecture of the compiler being used. This is because + the compilers do not have flags that can change the architecture, + but rather depend on which compiler is being used +*/ +#if defined(_WIN32) && defined(_MSC_VER) +# if defined(_M_IA64) +# define ARCHITECTURE_ID "IA64" + +# elif defined(_M_ARM64EC) +# define ARCHITECTURE_ID "ARM64EC" + +# elif defined(_M_X64) || defined(_M_AMD64) +# define ARCHITECTURE_ID "x64" + +# elif defined(_M_IX86) +# define ARCHITECTURE_ID "X86" + +# elif defined(_M_ARM64) +# define ARCHITECTURE_ID "ARM64" + +# elif defined(_M_ARM) +# if _M_ARM == 4 +# define ARCHITECTURE_ID "ARMV4I" +# elif _M_ARM == 5 +# define ARCHITECTURE_ID "ARMV5I" +# else +# define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM) +# endif + +# elif defined(_M_MIPS) +# define ARCHITECTURE_ID "MIPS" + +# elif defined(_M_SH) +# define ARCHITECTURE_ID "SHx" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__WATCOMC__) +# if defined(_M_I86) +# define ARCHITECTURE_ID "I86" + +# elif defined(_M_IX86) +# define ARCHITECTURE_ID "X86" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) +# if defined(__ICCARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__ICCRX__) +# define ARCHITECTURE_ID "RX" + +# elif defined(__ICCRH850__) +# define ARCHITECTURE_ID "RH850" + +# elif defined(__ICCRL78__) +# define ARCHITECTURE_ID "RL78" + +# elif defined(__ICCRISCV__) +# define ARCHITECTURE_ID "RISCV" + +# elif defined(__ICCAVR__) +# define ARCHITECTURE_ID "AVR" + +# elif defined(__ICC430__) +# define ARCHITECTURE_ID "MSP430" + +# elif defined(__ICCV850__) +# define ARCHITECTURE_ID "V850" + +# elif defined(__ICC8051__) +# define ARCHITECTURE_ID "8051" + +# elif defined(__ICCSTM8__) +# define ARCHITECTURE_ID "STM8" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__ghs__) +# if defined(__PPC64__) +# define ARCHITECTURE_ID "PPC64" + +# elif defined(__ppc__) +# define ARCHITECTURE_ID "PPC" + +# elif defined(__ARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__x86_64__) +# define ARCHITECTURE_ID "x64" + +# elif defined(__i386__) +# define ARCHITECTURE_ID "X86" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__TI_COMPILER_VERSION__) +# if defined(__TI_ARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__MSP430__) +# define ARCHITECTURE_ID "MSP430" + +# elif defined(__TMS320C28XX__) +# define ARCHITECTURE_ID "TMS320C28x" + +# elif defined(__TMS320C6X__) || defined(_TMS320C6X) +# define ARCHITECTURE_ID "TMS320C6x" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +# elif defined(__ADSPSHARC__) +# define ARCHITECTURE_ID "SHARC" + +# elif defined(__ADSPBLACKFIN__) +# define ARCHITECTURE_ID "Blackfin" + +#elif defined(__TASKING__) + +# if defined(__CTC__) || defined(__CPTC__) +# define ARCHITECTURE_ID "TriCore" + +# elif defined(__CMCS__) +# define ARCHITECTURE_ID "MCS" + +# elif defined(__CARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__CARC__) +# define ARCHITECTURE_ID "ARC" + +# elif defined(__C51__) +# define ARCHITECTURE_ID "8051" + +# elif defined(__CPCP__) +# define ARCHITECTURE_ID "PCP" + +# else +# define ARCHITECTURE_ID "" +# endif + +#else +# define ARCHITECTURE_ID +#endif + +/* Convert integer to decimal digit literals. */ +#define DEC(n) \ + ('0' + (((n) / 10000000)%10)), \ + ('0' + (((n) / 1000000)%10)), \ + ('0' + (((n) / 100000)%10)), \ + ('0' + (((n) / 10000)%10)), \ + ('0' + (((n) / 1000)%10)), \ + ('0' + (((n) / 100)%10)), \ + ('0' + (((n) / 10)%10)), \ + ('0' + ((n) % 10)) + +/* Convert integer to hex digit literals. */ +#define HEX(n) \ + ('0' + ((n)>>28 & 0xF)), \ + ('0' + ((n)>>24 & 0xF)), \ + ('0' + ((n)>>20 & 0xF)), \ + ('0' + ((n)>>16 & 0xF)), \ + ('0' + ((n)>>12 & 0xF)), \ + ('0' + ((n)>>8 & 0xF)), \ + ('0' + ((n)>>4 & 0xF)), \ + ('0' + ((n) & 0xF)) + +/* Construct a string literal encoding the version number. */ +#ifdef COMPILER_VERSION +char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]"; + +/* Construct a string literal encoding the version number components. */ +#elif defined(COMPILER_VERSION_MAJOR) +char const info_version[] = { + 'I', 'N', 'F', 'O', ':', + 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[', + COMPILER_VERSION_MAJOR, +# ifdef COMPILER_VERSION_MINOR + '.', COMPILER_VERSION_MINOR, +# ifdef COMPILER_VERSION_PATCH + '.', COMPILER_VERSION_PATCH, +# ifdef COMPILER_VERSION_TWEAK + '.', COMPILER_VERSION_TWEAK, +# endif +# endif +# endif + ']','\0'}; +#endif + +/* Construct a string literal encoding the internal version number. */ +#ifdef COMPILER_VERSION_INTERNAL +char const info_version_internal[] = { + 'I', 'N', 'F', 'O', ':', + 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_', + 'i','n','t','e','r','n','a','l','[', + COMPILER_VERSION_INTERNAL,']','\0'}; +#elif defined(COMPILER_VERSION_INTERNAL_STR) +char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]"; +#endif + +/* Construct a string literal encoding the version number components. */ +#ifdef SIMULATE_VERSION_MAJOR +char const info_simulate_version[] = { + 'I', 'N', 'F', 'O', ':', + 's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[', + SIMULATE_VERSION_MAJOR, +# ifdef SIMULATE_VERSION_MINOR + '.', SIMULATE_VERSION_MINOR, +# ifdef SIMULATE_VERSION_PATCH + '.', SIMULATE_VERSION_PATCH, +# ifdef SIMULATE_VERSION_TWEAK + '.', SIMULATE_VERSION_TWEAK, +# endif +# endif +# endif + ']','\0'}; +#endif + +/* Construct the string literal in pieces to prevent the source from + getting matched. Store it in a pointer rather than an array + because some compilers will just produce instructions to fill the + array rather than assigning a pointer to a static array. */ +char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]"; +char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]"; + + + +#if !defined(__STDC__) && !defined(__clang__) +# if defined(_MSC_VER) || defined(__ibmxl__) || defined(__IBMC__) +# define C_VERSION "90" +# else +# define C_VERSION +# endif +#elif __STDC_VERSION__ > 201710L +# define C_VERSION "23" +#elif __STDC_VERSION__ >= 201710L +# define C_VERSION "17" +#elif __STDC_VERSION__ >= 201000L +# define C_VERSION "11" +#elif __STDC_VERSION__ >= 199901L +# define C_VERSION "99" +#else +# define C_VERSION "90" +#endif +const char* info_language_standard_default = + "INFO" ":" "standard_default[" C_VERSION "]"; + +const char* info_language_extensions_default = "INFO" ":" "extensions_default[" +#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) || \ + defined(__TI_COMPILER_VERSION__)) && \ + !defined(__STRICT_ANSI__) + "ON" +#else + "OFF" +#endif +"]"; + +/*--------------------------------------------------------------------------*/ + +#ifdef ID_VOID_MAIN +void main() {} +#else +# if defined(__CLASSIC_C__) +int main(argc, argv) int argc; char *argv[]; +# else +int main(int argc, char* argv[]) +# endif +{ + int require = 0; + require += info_compiler[argc]; + require += info_platform[argc]; + require += info_arch[argc]; +#ifdef COMPILER_VERSION_MAJOR + require += info_version[argc]; +#endif +#ifdef COMPILER_VERSION_INTERNAL + require += info_version_internal[argc]; +#endif +#ifdef SIMULATE_ID + require += info_simulate[argc]; +#endif +#ifdef SIMULATE_VERSION_MAJOR + require += info_simulate_version[argc]; +#endif +#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) + require += info_cray[argc]; +#endif + require += info_language_standard_default[argc]; + require += info_language_extensions_default[argc]; + (void)argv; + return require; +} +#endif diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out new file mode 100755 index 0000000000000000000000000000000000000000..59cce56d0864b921fa3ad5b3107537b269645584 GIT binary patch literal 80632 zcmeI3eQX@Zb->@=T=6v*jn?`}yR zblfBMmJSsMHIw*{v4y z7M96rIlNA1S%T_~{-w5FU)JTvgCKu_}w&qEU%b`vE=?y-)NgK z@g~w1<|uEGfMNB!BFUE0@z;V9?H@FO4z9IGjd?9w`TYs{Q9Exnbs57GroL8Owwd;` z5j%x2xyJ z|MaDs&p-d#0}GwhM`{DbBO6L&-=X%jp31mBqkdaK_L~!|9ztC2F7UQk+r? zd$4UJQnYJ<;|KPPQ})0qRQ&)*OI#j=kt1V+Lw0|z??7XB-+r*iCXU)A*LSDNwZQc! zjt*6-o;%?bDlW#HnyGpwrmamA4FS?fDuo1@R|++EVOx2epI-bcoE{mt-{>x>d>V3? zr*x&BS2BeI(>MfBb2X%=@!@nWq>mntgUTe0akwp{SPLuqaGb7?p5_FnNAAzOy!^xu zzOtNwMI5{H%TN69nIE9;a>o8C+mO70HaAdozcsSd_39&w+4Rnz?#yOh=B+CQ=epC@ zQdb&OnaZ!h{C%PPZI~a_`Ecx8*|&Q#FW(CbFYdtYwG4dqm5jCY>iw|z3v4&~pMxuR zEM~B*4Y!}w>rek2H}V+(*g|cjed^OS>;t?$vSa~V`j>irE9s~lA)bS5Y7v*{bGuMJ z0`SYrxQx7l_Pef+EIDX@Ba`|nV80ccnEft*AK&-plRwF?|M;hOy_x^q57GWr^c}o0 zvQ$vM>4q=Wr@4P$asPEEEZvUrPT!Y*XaV58)c!0ioH%`7>Y-nET1(4M{9R*Am^bz3 z-?9DmPr^T6+XTI1X>qe(DSMeUZi@Jcr}+myXYH8asA){NZAC zX0}{${ZqIiepr`A^!DSfUn^I=Q@twn_2=|XZ(n1_xPkJUtvJDC)t@r?8ZC!lS9N9ykNJC$x5mi_IU_4+}S zknh+*=aYBib_I2Oj-?{U&9niFDMK->^UK_uxkD%3?bPP(prheq;8FZGV#) z{9JnU-+uO!ji^C2)pH)V0kjL(LwaieZq&D>a0k7g+=x<=5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$tEe?Z{)8cX$}%gB`J(_KccH}XQ8rS>+M{9_$D&vw_B^Qz=-Q@+;7 z?MB`(<@dzOfBROwN~#NKiv+Z*Ux3k!rS{gC{IhADzs=%TQ9BBW^QX>+Dykpq+hdry$2qI21n+ZC8(4%>vn(6 z^UB^-cB)v64;EyV;fk%}dDTMMOSI)Rf#c3r=BCipb7tI!v&NCa@v*Dz_Kb{w5Gw6> zfUb$uwI@x-@TQ3FUA4d|p0SG+r#206d!%enanhdktASe#%2khI^O|MqIXr%1V(jpT zpiXXgMtt8ja%609=;TQ||LCKK&}#hHqgWnmPY1Q9J>s{EhBqFoI#UkpNgsP{&sNJ` z;QDA2Ys(s3A5Va9J;%AQIT~jJ4H)uC=Fq$j>_Ph!&S+jAvQ!_Y{U#1y zr)Vtz*SmXrwBF$s_9s_u&vuy4MB`Li*gw@m&+X}17mf497WUt5q31YPHb&#T*uwrl zTIe~>$F@Y{WYS2m<+wDjKld1WKDWgAufHc6f4{NkYYw(QzG}VO;j#8;oJtG(&$Q5U zf7f?C+$HQd;ud4yW&o#@W}xe!}SEoS!iII8R>p;`X}z z-SA9oeY=QpR$D*g@xP4rX->*Q`{Vi-jQ&c@UUS<73$gR>zZ!e~PLtd7E7Ye#=QTPEDd{-P=hmOx z)13KxP#uNiG@r+N(LM#udLH-7v2oY>=JW43#z~qF%z?i%jJ9VhWMk)Lo`?KRUevxD zcCWKorDS2%db`1j*`HDUZPrt;r1qax_RZHbpFllbLC3G7{!-aDU+3t4HDA|#4ed8m zs91Ud_1Tz?vK#P&wJgqx_;u0G(Y`A*e;Tf6Px|=v&l}2qYtwbq616AYeB9Md{CJ#B z6~DPX+f+Lnt!V805$e0s&Bw)l)F*K`ME3aAAYaE~GgO*T`mM0r%pc7cpkVY?O#jEY z-X?MQB-M-SEw6hVr%fDi-Y=N=Ja5_lE2vM3|1G1BU$0VMDL&8hHgmu~Pw~^u zQ!J@LHQVJY)|<8+78Z-w4id?@-sU#<#0^I+Q_ z@ts+F#wmNyQ-YlNRK<1*W!uB=G;_ryo$Y#wwz=tQ(8|75S#Hj&l+U=8vn?H0Gsxk` zrhYIt+tPWJ@|-(gZrxl}Xe$tbGqn=G?3IHs6`hX~(Yk1lSL~AX2^2yO%>+yhO}z^_ zwJ3}AI^+<=f$l-MX!~xZS`7C$s*m-ID9$UJXB8wu2e`+`8(yH9Ve6ReP#ZEjSgs6jc41?aa+Xu{twbaRaxM>rJ+> zCvhIwj_*5Xu}gt}7WB8#rMa1zv*;4a*)(G!rb9=aGw#q3)={pw{#XfT3pSGmxQeca zPvnmtvJV{_wr#M7KXfdAbZiLK_^$)|(5NXL9X*JIMdIiOYL&9oQz*MXw{Jh#V-rX16$}$chX}%iQ>eJ;Sg6&EABJ&DPT+v*rYXYq zQHyLU&~})anyGp#PIjqQwWl4ggz=n0)ejn#_Z`5>$I-G>_UyTuTY|DTS+!>?PB2;Z zXLPROcvExElxw^5NTY@yyw|X``YZ7k!>=7_xCkXSh+Em{4C=6-hNr5uQ4K=!N{(Mz zsf76OB#F|YLDZE!?)ua;opJo)G(fI)b|!ENC<9;1Y2H(x%HwLQ&J9!ET&^%zu9Wtc z@pPb6`N6ThYPqDcY5E61u5{MJcv=QNHMVosOPmvh=f&rt2b`xw}nDdQP!icVAblT#JwU`QBpNPY(Aziy=JTFwaq zzg(CL@ZkF2Ci?#sT@ui3BBg<}MFOP~!2i$EIc>}PB=5(q12^{P=cf}!(L+X|#Mf1< z!oQhB{P{V`yz$Snp^+)kEf(1!j)#(92TeAW2(swnzDDdF}THPG`qV#@yfTzRblJ!%ZO{&@eNGX8_c zj-NjtPw=OA0dfD&qK?{ymxU_vbLtDmpU2M>tG4n!$v?*}?9b1$FB|{kVPo8%puoiQMCUYX-Y0nxH}YrxeE%_T{Qn-y z!io8@?it((`}2L`L1Q?~hDI7J4ehsM{`_2i!T7&j{g=^yBW`B8HJ;yJUq&USczZd| z@*mNL{;S3Q{G9*BE&5+YUz$7Y&+h|n8viQ<2NTaPu9xS*D_BM*?9cBFUNBGWvse~R z?9cKSSQz%__Y2pJKOcV_gZ)_kXUw1Px3{UNfcHt!#D1*(E$)zx+t2rZqsBjOZ*Z_X z{5S5AE?y7&tM>&BYi&zej+4P1nyL$=#KiaQ^TuM!4z1^Rdhz*3ad_@)OZ|Iphpyq9 x#*x;6$8qES@Nq@|r{%tDPyK7XTl??ifj5O(yJFdmyGj0bzqY(9<`B!m{{a6BpB4ZB literal 0 HcmV?d00001 diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp new file mode 100644 index 000000000000..746b1672e640 --- /dev/null +++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp @@ -0,0 +1,855 @@ +/* This source file must have a .cpp extension so that all C++ compilers + recognize the extension without flags. Borland does not know .cxx for + example. */ +#ifndef __cplusplus +# error "A C compiler has been selected for C++." +#endif + +#if !defined(__has_include) +/* If the compiler does not have __has_include, pretend the answer is + always no. */ +# define __has_include(x) 0 +#endif + + +/* Version number components: V=Version, R=Revision, P=Patch + Version date components: YYYY=Year, MM=Month, DD=Day */ + +#if defined(__COMO__) +# define COMPILER_ID "Comeau" + /* __COMO_VERSION__ = VRR */ +# define COMPILER_VERSION_MAJOR DEC(__COMO_VERSION__ / 100) +# define COMPILER_VERSION_MINOR DEC(__COMO_VERSION__ % 100) + +#elif defined(__INTEL_COMPILER) || defined(__ICC) +# define COMPILER_ID "Intel" +# if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +# endif +# if defined(__GNUC__) +# define SIMULATE_ID "GNU" +# endif + /* __INTEL_COMPILER = VRP prior to 2021, and then VVVV for 2021 and later, + except that a few beta releases use the old format with V=2021. */ +# if __INTEL_COMPILER < 2021 || __INTEL_COMPILER == 202110 || __INTEL_COMPILER == 202111 +# define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER/100) +# define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER/10 % 10) +# if defined(__INTEL_COMPILER_UPDATE) +# define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER_UPDATE) +# else +# define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER % 10) +# endif +# else +# define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER) +# define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER_UPDATE) + /* The third version component from --version is an update index, + but no macro is provided for it. */ +# define COMPILER_VERSION_PATCH DEC(0) +# endif +# if defined(__INTEL_COMPILER_BUILD_DATE) + /* __INTEL_COMPILER_BUILD_DATE = YYYYMMDD */ +# define COMPILER_VERSION_TWEAK DEC(__INTEL_COMPILER_BUILD_DATE) +# endif +# if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +# endif +# if defined(__GNUC__) +# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) +# elif defined(__GNUG__) +# define SIMULATE_VERSION_MAJOR DEC(__GNUG__) +# endif +# if defined(__GNUC_MINOR__) +# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) +# endif +# if defined(__GNUC_PATCHLEVEL__) +# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +# endif + +#elif (defined(__clang__) && defined(__INTEL_CLANG_COMPILER)) || defined(__INTEL_LLVM_COMPILER) +# define COMPILER_ID "IntelLLVM" +#if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +#endif +#if defined(__GNUC__) +# define SIMULATE_ID "GNU" +#endif +/* __INTEL_LLVM_COMPILER = VVVVRP prior to 2021.2.0, VVVVRRPP for 2021.2.0 and + * later. Look for 6 digit vs. 8 digit version number to decide encoding. + * VVVV is no smaller than the current year when a version is released. + */ +#if __INTEL_LLVM_COMPILER < 1000000L +# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/100) +# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER % 10) +#else +# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/10000) +# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/100 % 100) +# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER % 100) +#endif +#if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +#endif +#if defined(__GNUC__) +# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) +#elif defined(__GNUG__) +# define SIMULATE_VERSION_MAJOR DEC(__GNUG__) +#endif +#if defined(__GNUC_MINOR__) +# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) +#endif +#if defined(__GNUC_PATCHLEVEL__) +# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +#endif + +#elif defined(__PATHCC__) +# define COMPILER_ID "PathScale" +# define COMPILER_VERSION_MAJOR DEC(__PATHCC__) +# define COMPILER_VERSION_MINOR DEC(__PATHCC_MINOR__) +# if defined(__PATHCC_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__PATHCC_PATCHLEVEL__) +# endif + +#elif defined(__BORLANDC__) && defined(__CODEGEARC_VERSION__) +# define COMPILER_ID "Embarcadero" +# define COMPILER_VERSION_MAJOR HEX(__CODEGEARC_VERSION__>>24 & 0x00FF) +# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF) +# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__ & 0xFFFF) + +#elif defined(__BORLANDC__) +# define COMPILER_ID "Borland" + /* __BORLANDC__ = 0xVRR */ +# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8) +# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF) + +#elif defined(__WATCOMC__) && __WATCOMC__ < 1200 +# define COMPILER_ID "Watcom" + /* __WATCOMC__ = VVRR */ +# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100) +# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) +# if (__WATCOMC__ % 10) > 0 +# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) +# endif + +#elif defined(__WATCOMC__) +# define COMPILER_ID "OpenWatcom" + /* __WATCOMC__ = VVRP + 1100 */ +# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100) +# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) +# if (__WATCOMC__ % 10) > 0 +# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) +# endif + +#elif defined(__SUNPRO_CC) +# define COMPILER_ID "SunPro" +# if __SUNPRO_CC >= 0x5100 + /* __SUNPRO_CC = 0xVRRP */ +# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>12) +# define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xFF) +# define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC & 0xF) +# else + /* __SUNPRO_CC = 0xVRP */ +# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>8) +# define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xF) +# define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC & 0xF) +# endif + +#elif defined(__HP_aCC) +# define COMPILER_ID "HP" + /* __HP_aCC = VVRRPP */ +# define COMPILER_VERSION_MAJOR DEC(__HP_aCC/10000) +# define COMPILER_VERSION_MINOR DEC(__HP_aCC/100 % 100) +# define COMPILER_VERSION_PATCH DEC(__HP_aCC % 100) + +#elif defined(__DECCXX) +# define COMPILER_ID "Compaq" + /* __DECCXX_VER = VVRRTPPPP */ +# define COMPILER_VERSION_MAJOR DEC(__DECCXX_VER/10000000) +# define COMPILER_VERSION_MINOR DEC(__DECCXX_VER/100000 % 100) +# define COMPILER_VERSION_PATCH DEC(__DECCXX_VER % 10000) + +#elif defined(__IBMCPP__) && defined(__COMPILER_VER__) +# define COMPILER_ID "zOS" + /* __IBMCPP__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) + +#elif defined(__open_xl__) && defined(__clang__) +# define COMPILER_ID "IBMClang" +# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__) +# define COMPILER_VERSION_MINOR DEC(__open_xl_release__) +# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__) +# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__) + + +#elif defined(__ibmxl__) && defined(__clang__) +# define COMPILER_ID "XLClang" +# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__) +# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__) +# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__) +# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__) + + +#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ >= 800 +# define COMPILER_ID "XL" + /* __IBMCPP__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) + +#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ < 800 +# define COMPILER_ID "VisualAge" + /* __IBMCPP__ = VRP */ +# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) +# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) +# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) + +#elif defined(__NVCOMPILER) +# define COMPILER_ID "NVHPC" +# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__) +# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__) +# if defined(__NVCOMPILER_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__) +# endif + +#elif defined(__PGI) +# define COMPILER_ID "PGI" +# define COMPILER_VERSION_MAJOR DEC(__PGIC__) +# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__) +# if defined(__PGIC_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__) +# endif + +#elif defined(_CRAYC) +# define COMPILER_ID "Cray" +# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR) +# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR) + +#elif defined(__TI_COMPILER_VERSION__) +# define COMPILER_ID "TI" + /* __TI_COMPILER_VERSION__ = VVVRRRPPP */ +# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000) +# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000 % 1000) +# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__ % 1000) + +#elif defined(__CLANG_FUJITSU) +# define COMPILER_ID "FujitsuClang" +# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) +# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) +# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) +# define COMPILER_VERSION_INTERNAL_STR __clang_version__ + + +#elif defined(__FUJITSU) +# define COMPILER_ID "Fujitsu" +# if defined(__FCC_version__) +# define COMPILER_VERSION __FCC_version__ +# elif defined(__FCC_major__) +# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) +# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) +# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) +# endif +# if defined(__fcc_version) +# define COMPILER_VERSION_INTERNAL DEC(__fcc_version) +# elif defined(__FCC_VERSION) +# define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION) +# endif + + +#elif defined(__ghs__) +# define COMPILER_ID "GHS" +/* __GHS_VERSION_NUMBER = VVVVRP */ +# ifdef __GHS_VERSION_NUMBER +# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100) +# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10) +# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER % 10) +# endif + +#elif defined(__TASKING__) +# define COMPILER_ID "Tasking" + # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000) + # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100) +# define COMPILER_VERSION_INTERNAL DEC(__VERSION__) + +#elif defined(__SCO_VERSION__) +# define COMPILER_ID "SCO" + +#elif defined(__ARMCC_VERSION) && !defined(__clang__) +# define COMPILER_ID "ARMCC" +#if __ARMCC_VERSION >= 1000000 + /* __ARMCC_VERSION = VRRPPPP */ + # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000) + # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100) + # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) +#else + /* __ARMCC_VERSION = VRPPPP */ + # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000) + # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10) + # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) +#endif + + +#elif defined(__clang__) && defined(__apple_build_version__) +# define COMPILER_ID "AppleClang" +# if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +# endif +# define COMPILER_VERSION_MAJOR DEC(__clang_major__) +# define COMPILER_VERSION_MINOR DEC(__clang_minor__) +# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) +# if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +# endif +# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__) + +#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION) +# define COMPILER_ID "ARMClang" + # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000) + # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100) + # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION % 10000) +# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION) + +#elif defined(__clang__) +# define COMPILER_ID "Clang" +# if defined(_MSC_VER) +# define SIMULATE_ID "MSVC" +# endif +# define COMPILER_VERSION_MAJOR DEC(__clang_major__) +# define COMPILER_VERSION_MINOR DEC(__clang_minor__) +# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) +# if defined(_MSC_VER) + /* _MSC_VER = VVRR */ +# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) +# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) +# endif + +#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__)) +# define COMPILER_ID "LCC" +# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100) +# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100) +# if defined(__LCC_MINOR__) +# define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__) +# endif +# if defined(__GNUC__) && defined(__GNUC_MINOR__) +# define SIMULATE_ID "GNU" +# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) +# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) +# if defined(__GNUC_PATCHLEVEL__) +# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +# endif +# endif + +#elif defined(__GNUC__) || defined(__GNUG__) +# define COMPILER_ID "GNU" +# if defined(__GNUC__) +# define COMPILER_VERSION_MAJOR DEC(__GNUC__) +# else +# define COMPILER_VERSION_MAJOR DEC(__GNUG__) +# endif +# if defined(__GNUC_MINOR__) +# define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__) +# endif +# if defined(__GNUC_PATCHLEVEL__) +# define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) +# endif + +#elif defined(_MSC_VER) +# define COMPILER_ID "MSVC" + /* _MSC_VER = VVRR */ +# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100) +# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100) +# if defined(_MSC_FULL_VER) +# if _MSC_VER >= 1400 + /* _MSC_FULL_VER = VVRRPPPPP */ +# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000) +# else + /* _MSC_FULL_VER = VVRRPPPP */ +# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000) +# endif +# endif +# if defined(_MSC_BUILD) +# define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD) +# endif + +#elif defined(_ADI_COMPILER) +# define COMPILER_ID "ADSP" +#if defined(__VERSIONNUM__) + /* __VERSIONNUM__ = 0xVVRRPPTT */ +# define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF) +# define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF) +# define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF) +# define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF) +#endif + +#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) +# define COMPILER_ID "IAR" +# if defined(__VER__) && defined(__ICCARM__) +# define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000) +# define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000) +# define COMPILER_VERSION_PATCH DEC((__VER__) % 1000) +# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) +# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__)) +# define COMPILER_VERSION_MAJOR DEC((__VER__) / 100) +# define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100)) +# define COMPILER_VERSION_PATCH DEC(__SUBVERSION__) +# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) +# endif + + +/* These compilers are either not known or too old to define an + identification macro. Try to identify the platform and guess that + it is the native compiler. */ +#elif defined(__hpux) || defined(__hpua) +# define COMPILER_ID "HP" + +#else /* unknown compiler */ +# define COMPILER_ID "" +#endif + +/* Construct the string literal in pieces to prevent the source from + getting matched. Store it in a pointer rather than an array + because some compilers will just produce instructions to fill the + array rather than assigning a pointer to a static array. */ +char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]"; +#ifdef SIMULATE_ID +char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]"; +#endif + +#ifdef __QNXNTO__ +char const* qnxnto = "INFO" ":" "qnxnto[]"; +#endif + +#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) +char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]"; +#endif + +#define STRINGIFY_HELPER(X) #X +#define STRINGIFY(X) STRINGIFY_HELPER(X) + +/* Identify known platforms by name. */ +#if defined(__linux) || defined(__linux__) || defined(linux) +# define PLATFORM_ID "Linux" + +#elif defined(__MSYS__) +# define PLATFORM_ID "MSYS" + +#elif defined(__CYGWIN__) +# define PLATFORM_ID "Cygwin" + +#elif defined(__MINGW32__) +# define PLATFORM_ID "MinGW" + +#elif defined(__APPLE__) +# define PLATFORM_ID "Darwin" + +#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) +# define PLATFORM_ID "Windows" + +#elif defined(__FreeBSD__) || defined(__FreeBSD) +# define PLATFORM_ID "FreeBSD" + +#elif defined(__NetBSD__) || defined(__NetBSD) +# define PLATFORM_ID "NetBSD" + +#elif defined(__OpenBSD__) || defined(__OPENBSD) +# define PLATFORM_ID "OpenBSD" + +#elif defined(__sun) || defined(sun) +# define PLATFORM_ID "SunOS" + +#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__) +# define PLATFORM_ID "AIX" + +#elif defined(__hpux) || defined(__hpux__) +# define PLATFORM_ID "HP-UX" + +#elif defined(__HAIKU__) +# define PLATFORM_ID "Haiku" + +#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS) +# define PLATFORM_ID "BeOS" + +#elif defined(__QNX__) || defined(__QNXNTO__) +# define PLATFORM_ID "QNX" + +#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__) +# define PLATFORM_ID "Tru64" + +#elif defined(__riscos) || defined(__riscos__) +# define PLATFORM_ID "RISCos" + +#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__) +# define PLATFORM_ID "SINIX" + +#elif defined(__UNIX_SV__) +# define PLATFORM_ID "UNIX_SV" + +#elif defined(__bsdos__) +# define PLATFORM_ID "BSDOS" + +#elif defined(_MPRAS) || defined(MPRAS) +# define PLATFORM_ID "MP-RAS" + +#elif defined(__osf) || defined(__osf__) +# define PLATFORM_ID "OSF1" + +#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv) +# define PLATFORM_ID "SCO_SV" + +#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX) +# define PLATFORM_ID "ULTRIX" + +#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX) +# define PLATFORM_ID "Xenix" + +#elif defined(__WATCOMC__) +# if defined(__LINUX__) +# define PLATFORM_ID "Linux" + +# elif defined(__DOS__) +# define PLATFORM_ID "DOS" + +# elif defined(__OS2__) +# define PLATFORM_ID "OS2" + +# elif defined(__WINDOWS__) +# define PLATFORM_ID "Windows3x" + +# elif defined(__VXWORKS__) +# define PLATFORM_ID "VxWorks" + +# else /* unknown platform */ +# define PLATFORM_ID +# endif + +#elif defined(__INTEGRITY) +# if defined(INT_178B) +# define PLATFORM_ID "Integrity178" + +# else /* regular Integrity */ +# define PLATFORM_ID "Integrity" +# endif + +# elif defined(_ADI_COMPILER) +# define PLATFORM_ID "ADSP" + +#else /* unknown platform */ +# define PLATFORM_ID + +#endif + +/* For windows compilers MSVC and Intel we can determine + the architecture of the compiler being used. This is because + the compilers do not have flags that can change the architecture, + but rather depend on which compiler is being used +*/ +#if defined(_WIN32) && defined(_MSC_VER) +# if defined(_M_IA64) +# define ARCHITECTURE_ID "IA64" + +# elif defined(_M_ARM64EC) +# define ARCHITECTURE_ID "ARM64EC" + +# elif defined(_M_X64) || defined(_M_AMD64) +# define ARCHITECTURE_ID "x64" + +# elif defined(_M_IX86) +# define ARCHITECTURE_ID "X86" + +# elif defined(_M_ARM64) +# define ARCHITECTURE_ID "ARM64" + +# elif defined(_M_ARM) +# if _M_ARM == 4 +# define ARCHITECTURE_ID "ARMV4I" +# elif _M_ARM == 5 +# define ARCHITECTURE_ID "ARMV5I" +# else +# define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM) +# endif + +# elif defined(_M_MIPS) +# define ARCHITECTURE_ID "MIPS" + +# elif defined(_M_SH) +# define ARCHITECTURE_ID "SHx" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__WATCOMC__) +# if defined(_M_I86) +# define ARCHITECTURE_ID "I86" + +# elif defined(_M_IX86) +# define ARCHITECTURE_ID "X86" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) +# if defined(__ICCARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__ICCRX__) +# define ARCHITECTURE_ID "RX" + +# elif defined(__ICCRH850__) +# define ARCHITECTURE_ID "RH850" + +# elif defined(__ICCRL78__) +# define ARCHITECTURE_ID "RL78" + +# elif defined(__ICCRISCV__) +# define ARCHITECTURE_ID "RISCV" + +# elif defined(__ICCAVR__) +# define ARCHITECTURE_ID "AVR" + +# elif defined(__ICC430__) +# define ARCHITECTURE_ID "MSP430" + +# elif defined(__ICCV850__) +# define ARCHITECTURE_ID "V850" + +# elif defined(__ICC8051__) +# define ARCHITECTURE_ID "8051" + +# elif defined(__ICCSTM8__) +# define ARCHITECTURE_ID "STM8" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__ghs__) +# if defined(__PPC64__) +# define ARCHITECTURE_ID "PPC64" + +# elif defined(__ppc__) +# define ARCHITECTURE_ID "PPC" + +# elif defined(__ARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__x86_64__) +# define ARCHITECTURE_ID "x64" + +# elif defined(__i386__) +# define ARCHITECTURE_ID "X86" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +#elif defined(__TI_COMPILER_VERSION__) +# if defined(__TI_ARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__MSP430__) +# define ARCHITECTURE_ID "MSP430" + +# elif defined(__TMS320C28XX__) +# define ARCHITECTURE_ID "TMS320C28x" + +# elif defined(__TMS320C6X__) || defined(_TMS320C6X) +# define ARCHITECTURE_ID "TMS320C6x" + +# else /* unknown architecture */ +# define ARCHITECTURE_ID "" +# endif + +# elif defined(__ADSPSHARC__) +# define ARCHITECTURE_ID "SHARC" + +# elif defined(__ADSPBLACKFIN__) +# define ARCHITECTURE_ID "Blackfin" + +#elif defined(__TASKING__) + +# if defined(__CTC__) || defined(__CPTC__) +# define ARCHITECTURE_ID "TriCore" + +# elif defined(__CMCS__) +# define ARCHITECTURE_ID "MCS" + +# elif defined(__CARM__) +# define ARCHITECTURE_ID "ARM" + +# elif defined(__CARC__) +# define ARCHITECTURE_ID "ARC" + +# elif defined(__C51__) +# define ARCHITECTURE_ID "8051" + +# elif defined(__CPCP__) +# define ARCHITECTURE_ID "PCP" + +# else +# define ARCHITECTURE_ID "" +# endif + +#else +# define ARCHITECTURE_ID +#endif + +/* Convert integer to decimal digit literals. */ +#define DEC(n) \ + ('0' + (((n) / 10000000)%10)), \ + ('0' + (((n) / 1000000)%10)), \ + ('0' + (((n) / 100000)%10)), \ + ('0' + (((n) / 10000)%10)), \ + ('0' + (((n) / 1000)%10)), \ + ('0' + (((n) / 100)%10)), \ + ('0' + (((n) / 10)%10)), \ + ('0' + ((n) % 10)) + +/* Convert integer to hex digit literals. */ +#define HEX(n) \ + ('0' + ((n)>>28 & 0xF)), \ + ('0' + ((n)>>24 & 0xF)), \ + ('0' + ((n)>>20 & 0xF)), \ + ('0' + ((n)>>16 & 0xF)), \ + ('0' + ((n)>>12 & 0xF)), \ + ('0' + ((n)>>8 & 0xF)), \ + ('0' + ((n)>>4 & 0xF)), \ + ('0' + ((n) & 0xF)) + +/* Construct a string literal encoding the version number. */ +#ifdef COMPILER_VERSION +char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]"; + +/* Construct a string literal encoding the version number components. */ +#elif defined(COMPILER_VERSION_MAJOR) +char const info_version[] = { + 'I', 'N', 'F', 'O', ':', + 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[', + COMPILER_VERSION_MAJOR, +# ifdef COMPILER_VERSION_MINOR + '.', COMPILER_VERSION_MINOR, +# ifdef COMPILER_VERSION_PATCH + '.', COMPILER_VERSION_PATCH, +# ifdef COMPILER_VERSION_TWEAK + '.', COMPILER_VERSION_TWEAK, +# endif +# endif +# endif + ']','\0'}; +#endif + +/* Construct a string literal encoding the internal version number. */ +#ifdef COMPILER_VERSION_INTERNAL +char const info_version_internal[] = { + 'I', 'N', 'F', 'O', ':', + 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_', + 'i','n','t','e','r','n','a','l','[', + COMPILER_VERSION_INTERNAL,']','\0'}; +#elif defined(COMPILER_VERSION_INTERNAL_STR) +char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]"; +#endif + +/* Construct a string literal encoding the version number components. */ +#ifdef SIMULATE_VERSION_MAJOR +char const info_simulate_version[] = { + 'I', 'N', 'F', 'O', ':', + 's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[', + SIMULATE_VERSION_MAJOR, +# ifdef SIMULATE_VERSION_MINOR + '.', SIMULATE_VERSION_MINOR, +# ifdef SIMULATE_VERSION_PATCH + '.', SIMULATE_VERSION_PATCH, +# ifdef SIMULATE_VERSION_TWEAK + '.', SIMULATE_VERSION_TWEAK, +# endif +# endif +# endif + ']','\0'}; +#endif + +/* Construct the string literal in pieces to prevent the source from + getting matched. Store it in a pointer rather than an array + because some compilers will just produce instructions to fill the + array rather than assigning a pointer to a static array. */ +char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]"; +char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]"; + + + +#if defined(__INTEL_COMPILER) && defined(_MSVC_LANG) && _MSVC_LANG < 201403L +# if defined(__INTEL_CXX11_MODE__) +# if defined(__cpp_aggregate_nsdmi) +# define CXX_STD 201402L +# else +# define CXX_STD 201103L +# endif +# else +# define CXX_STD 199711L +# endif +#elif defined(_MSC_VER) && defined(_MSVC_LANG) +# define CXX_STD _MSVC_LANG +#else +# define CXX_STD __cplusplus +#endif + +const char* info_language_standard_default = "INFO" ":" "standard_default[" +#if CXX_STD > 202002L + "23" +#elif CXX_STD > 201703L + "20" +#elif CXX_STD >= 201703L + "17" +#elif CXX_STD >= 201402L + "14" +#elif CXX_STD >= 201103L + "11" +#else + "98" +#endif +"]"; + +const char* info_language_extensions_default = "INFO" ":" "extensions_default[" +#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) || \ + defined(__TI_COMPILER_VERSION__)) && \ + !defined(__STRICT_ANSI__) + "ON" +#else + "OFF" +#endif +"]"; + +/*--------------------------------------------------------------------------*/ + +int main(int argc, char* argv[]) +{ + int require = 0; + require += info_compiler[argc]; + require += info_platform[argc]; + require += info_arch[argc]; +#ifdef COMPILER_VERSION_MAJOR + require += info_version[argc]; +#endif +#ifdef COMPILER_VERSION_INTERNAL + require += info_version_internal[argc]; +#endif +#ifdef SIMULATE_ID + require += info_simulate[argc]; +#endif +#ifdef SIMULATE_VERSION_MAJOR + require += info_simulate_version[argc]; +#endif +#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) + require += info_cray[argc]; +#endif + require += info_language_standard_default[argc]; + require += info_language_extensions_default[argc]; + (void)argv; + return require; +} diff --git a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml new file mode 100644 index 000000000000..353c44960b88 --- /dev/null +++ b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml @@ -0,0 +1,451 @@ + +--- +events: + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineSystem.cmake:204 (message)" + - "CMakeLists.txt" + message: | + The system is: Linux - 5.18.13-200.fc36.aarch64 - aarch64 + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCCompiler.cmake:123 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the C compiler identification source file "CMakeCCompilerId.c" succeeded. + Compiler: /usr/bin/cc + Build flags: + Id flags: + + The output was: + 0 + + + Compilation of the C compiler identification source "CMakeCCompilerId.c" produced "a.out" + + The C compiler identification is GNU, found in: + /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: -c + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --c++ + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --ec++ + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: -c;-I__does_not_exist__ + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: -c + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --c++ + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --ec++ + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 + + The output was: + No such file or directory + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" + - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" + - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" + - "CMakeLists.txt" + message: | + Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. + Compiler: CMAKE_CXX_COMPILER-NOTFOUND + Build flags: + Id flags: -c;-I__does_not_exist__ + + The output was: + No such file or directory + + + - + kind: "try_compile-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:57 (try_compile)" + - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" + - "CMakeLists.txt" + checks: + - "Detecting C compiler ABI info" + directories: + source: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C" + binary: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C" + cmakeVariables: + CMAKE_C_FLAGS: "" + buildResult: + variable: "CMAKE_C_ABI_COMPILED" + cached: true + stdout: | + Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C + + Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build + gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C' + Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o + /usr/bin/cc -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c + Using built-in specs. + COLLECT_GCC=/usr/bin/cc + Target: aarch64-redhat-linux + Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1 + Thread model: posix + Supported LTO compression algorithms: zlib zstd + gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) + COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/' + /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s + GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux) + compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP + + GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 + ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed" + ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include" + #include "..." search starts here: + #include <...> search starts here: + /usr/lib/gcc/aarch64-redhat-linux/12/include + /usr/local/include + /usr/include + End of search list. + GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux) + compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP + + GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 + Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454 + COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/' + as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s + GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36 + COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/ + LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/ + COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.' + Linking C executable cmTC_cf024 + /usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1 + /usr/bin/cc -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 + Using built-in specs. + COLLECT_GCC=/usr/bin/cc + COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper + Target: aarch64-redhat-linux + Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1 + Thread model: posix + Supported LTO compression algorithms: zlib zstd + gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) + COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/ + LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/ + COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.' + /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o + COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.' + gmake[1]: Leaving directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C' + + exitCode: 0 + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:127 (message)" + - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" + - "CMakeLists.txt" + message: | + Parsed C implicit include dir info: rv=done + found start of include info + found start of implicit include info + add: [/usr/lib/gcc/aarch64-redhat-linux/12/include] + add: [/usr/local/include] + add: [/usr/include] + end of search list found + collapse include dir [/usr/lib/gcc/aarch64-redhat-linux/12/include] ==> [/usr/lib/gcc/aarch64-redhat-linux/12/include] + collapse include dir [/usr/local/include] ==> [/usr/local/include] + collapse include dir [/usr/include] ==> [/usr/include] + implicit include dirs: [/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include] + + + - + kind: "message-v1" + backtrace: + - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:152 (message)" + - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" + - "CMakeLists.txt" + message: | + Parsed C implicit link information: + link line regex: [^( *|.*[/\\])(ld|CMAKE_LINK_STARTFILE-NOTFOUND|([^/\\]+-)?ld|collect2)[^/\\]*( |$)] + ignore line: [Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C] + ignore line: [] + ignore line: [Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build] + ignore line: [gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'] + ignore line: [Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] + ignore line: [/usr/bin/cc -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c] + ignore line: [Using built-in specs.] + ignore line: [COLLECT_GCC=/usr/bin/cc] + ignore line: [Target: aarch64-redhat-linux] + ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1] + ignore line: [Thread model: posix] + ignore line: [Supported LTO compression algorithms: zlib zstd] + ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ] + ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'] + ignore line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s] + ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)] + ignore line: [ compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1) GMP version 6.2.1 MPFR version 4.1.0-p13 MPC version 1.2.1 isl version isl-0.18-GMP] + ignore line: [] + ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072] + ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"] + ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"] + ignore line: [#include "..." search starts here:] + ignore line: [#include <...> search starts here:] + ignore line: [ /usr/lib/gcc/aarch64-redhat-linux/12/include] + ignore line: [ /usr/local/include] + ignore line: [ /usr/include] + ignore line: [End of search list.] + ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)] + ignore line: [ compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1) GMP version 6.2.1 MPFR version 4.1.0-p13 MPC version 1.2.1 isl version isl-0.18-GMP] + ignore line: [] + ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072] + ignore line: [Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454] + ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'] + ignore line: [ as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s] + ignore line: [GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36] + ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/] + ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/] + ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.'] + ignore line: [Linking C executable cmTC_cf024] + ignore line: [/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1] + ignore line: [/usr/bin/cc -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 ] + ignore line: [Using built-in specs.] + ignore line: [COLLECT_GCC=/usr/bin/cc] + ignore line: [COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] + ignore line: [Target: aarch64-redhat-linux] + ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1] + ignore line: [Thread model: posix] + ignore line: [Supported LTO compression algorithms: zlib zstd] + ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ] + ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/] + ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/] + ignore line: [COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'] + link line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] + arg [/usr/libexec/gcc/aarch64-redhat-linux/12/collect2] ==> ignore + arg [-plugin] ==> ignore + arg [/usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so] ==> ignore + arg [-plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] ==> ignore + arg [-plugin-opt=-fresolution=/tmp/cchKwJNt.res] ==> ignore + arg [-plugin-opt=-pass-through=-lgcc] ==> ignore + arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore + arg [-plugin-opt=-pass-through=-lc] ==> ignore + arg [-plugin-opt=-pass-through=-lgcc] ==> ignore + arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore + arg [--build-id] ==> ignore + arg [--no-add-needed] ==> ignore + arg [--eh-frame-hdr] ==> ignore + arg [--hash-style=gnu] ==> ignore + arg [-export-dynamic] ==> ignore + arg [-dynamic-linker] ==> ignore + arg [/lib/ld-linux-aarch64.so.1] ==> ignore + arg [-X] ==> ignore + arg [-EL] ==> ignore + arg [-maarch64linux] ==> ignore + arg [-o] ==> ignore + arg [cmTC_cf024] ==> ignore + arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] + arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] + arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] + arg [-L/usr/lib/gcc/aarch64-redhat-linux/12] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12] + arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] + arg [-L/lib/../lib64] ==> dir [/lib/../lib64] + arg [-L/usr/lib/../lib64] ==> dir [/usr/lib/../lib64] + arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] + arg [CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] ==> ignore + arg [-lgcc] ==> lib [gcc] + arg [--push-state] ==> ignore + arg [--as-needed] ==> ignore + arg [-lgcc_s] ==> lib [gcc_s] + arg [--pop-state] ==> ignore + arg [-lc] ==> lib [c] + arg [-lgcc] ==> lib [gcc] + arg [--push-state] ==> ignore + arg [--as-needed] ==> ignore + arg [-lgcc_s] ==> lib [gcc_s] + arg [--pop-state] ==> ignore + arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] + arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] + collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> [/usr/lib64/crt1.o] + collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> [/usr/lib64/crti.o] + collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> [/usr/lib64/crtn.o] + collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12] ==> [/usr/lib/gcc/aarch64-redhat-linux/12] + collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> [/usr/lib64] + collapse library dir [/lib/../lib64] ==> [/lib64] + collapse library dir [/usr/lib/../lib64] ==> [/usr/lib64] + collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> [/usr/lib] + implicit libs: [gcc;gcc_s;c;gcc;gcc_s] + implicit objs: [/usr/lib64/crt1.o;/usr/lib64/crti.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o;/usr/lib64/crtn.o] + implicit dirs: [/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib] + implicit fwks: [] + + +... diff --git a/products/bascontrol22d4/CMakeFiles/cmake.check_cache b/products/bascontrol22d4/CMakeFiles/cmake.check_cache new file mode 100644 index 000000000000..3dccd731726d --- /dev/null +++ b/products/bascontrol22d4/CMakeFiles/cmake.check_cache @@ -0,0 +1 @@ +# This file is generated by cmake for dependency checking of the CMakeCache.txt file diff --git a/products/bascontrol22d4/CMakeLists.txt b/products/bascontrol22d4/CMakeLists.txt new file mode 100644 index 000000000000..53f23a29ba13 --- /dev/null +++ b/products/bascontrol22d4/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd bascontrol22d4; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("bascontrol22d4") diff --git a/products/bascontrol22d4/product.yml b/products/bascontrol22d4/product.yml new file mode 100644 index 000000000000..f0acfc6162dd --- /dev/null +++ b/products/bascontrol22d4/product.yml @@ -0,0 +1,17 @@ +product: bascontrol22d4 +full_name: Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 +type: product + +benchmark_id: BASCONTROL22D-4 +benchmark_root: "./guide" + +components_root: "../../components" + +profiles_root: "./profiles" + +cpes_root: "../../shared/applicability" +cpes: + bascontrol22d4: + name: "cpe:/o:bascontrol22d:4" + title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4" + check_id: installed_app_is_bascontrol22d4 diff --git a/products/bascontrol22d4/profiles/standard.profile b/products/bascontrol22d4/profiles/standard.profile new file mode 100644 index 000000000000..1cc540965a81 --- /dev/null +++ b/products/bascontrol22d4/profiles/standard.profile @@ -0,0 +1,10 @@ +documentation_complete: true + +title: 'Standard System Security Profile for Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4' + +description: |- + This profile contains rules to ensure standard security baseline + of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system. + +selections: + - firefox_policy-addons_permission diff --git a/shared/applicability/oval/installed_app_is_bascontrol22d4.xml b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml new file mode 100644 index 000000000000..bef7e8324fea --- /dev/null +++ b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml @@ -0,0 +1,28 @@ + + + + Mozilla Firefox + + Mozilla Firefox + + + The application installed on the system is firefox. + + + + + + + + + + + + firefox + + + diff --git a/ssg/constants.py b/ssg/constants.py index 53a6604e3d28..cbe9f4965745 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -44,6 +44,7 @@ 'anolis8', 'anolis23', 'al2023', + 'bascontrol22d4', 'debian11', 'debian12', 'debian13', 'example', 'eks', @@ -214,6 +215,7 @@ "Anolis OS 8": "anolis8", "Anolis OS 23": "anolis23", "Amazon Linux 2023": "al2023", + "Contemporary Controls BAScontrol22D 4": "bascontrol33d4", "Debian 11": "debian11", "Debian 12": "debian12", "Debian 13": "debian13", @@ -288,17 +290,15 @@ ) ) - -MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", - "openeuler", "kylinserver", - "opensuse", "sle", "tencentos", "ol", "ocp", "rhcos", - "example", "eks", "alinux", "anolis", "openembedded", "al", - "slmicro", "almalinux"] +MULTI_PLATFORM_LIST = ["al", "alinux", "almalinux", "anolis", "bascontrol22d", "debian", "eks", + "example", "fedora", "kylinserver", "ocp", "ol", "openembedded", "openeuler", + "opensuse", "rhcos", "rhel", "rhv", "sle", "slmicro", "tencentos", "ubuntu"] MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], "multi_platform_almalinux": ["almalinux9"], "multi_platform_anolis": ["anolis8", "anolis23"], + "multi_platform_bascontrol22d": ["bascontrol22d4"], "multi_platform_debian": ["debian11", "debian12", "debian13"], "multi_platform_example": ["example"], "multi_platform_eks": ["eks"], @@ -430,6 +430,7 @@ 'kylinserver': 'Kylin Server', 'rhel': 'Red Hat Enterprise Linux', 'rhv': 'Red Hat Virtualization', + 'bascontrol22d': 'Contemporary Controls BAScontrol22D', 'debian': 'Debian', 'ubuntu': 'Ubuntu', 'eap': 'JBoss Enterprise Application Platform', From 45d6d38b9546a1176e1fbf0585548377c46d0cab Mon Sep 17 00:00:00 2001 From: cealcorn Date: Tue, 3 Feb 2026 20:29:08 -0800 Subject: [PATCH 003/265] Add products/bascontroll22d4/CMakeFiles/ to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index cafff35ee5ea..8042b82e85d5 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ coverage.xml # Trestle specfic shared/references/oscal/.trestle/cache +products/bascontrol22d4/CMakeFiles/ From eef53605828caa6bdf7762b1d4500f3ed7cb5616 Mon Sep 17 00:00:00 2001 From: cealcorn Date: Tue, 3 Feb 2026 20:30:18 -0800 Subject: [PATCH 004/265] Remove products/bascontrols22d4/CMakeFiles/ from repo --- .../CMakeFiles/3.26.3/CMakeCCompiler.cmake | 72 -- .../3.26.3/CMakeDetermineCompilerABI_C.bin | Bin 80488 -> 0 bytes .../CMakeFiles/3.26.3/CMakeSystem.cmake | 15 - .../3.26.3/CompilerIdC/CMakeCCompilerId.c | 866 ------------------ .../CMakeFiles/3.26.3/CompilerIdC/a.out | Bin 80632 -> 0 bytes .../CompilerIdCXX/CMakeCXXCompilerId.cpp | 855 ----------------- .../CMakeFiles/CMakeConfigureLog.yaml | 451 --------- .../CMakeFiles/cmake.check_cache | 1 - 8 files changed, 2260 deletions(-) delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake delete mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c delete mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp delete mode 100644 products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml delete mode 100644 products/bascontrol22d4/CMakeFiles/cmake.check_cache diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake deleted file mode 100644 index 9db2d954e33a..000000000000 --- a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake +++ /dev/null @@ -1,72 +0,0 @@ -set(CMAKE_C_COMPILER "/usr/bin/cc") -set(CMAKE_C_COMPILER_ARG1 "") -set(CMAKE_C_COMPILER_ID "GNU") -set(CMAKE_C_COMPILER_VERSION "12.1.1") -set(CMAKE_C_COMPILER_VERSION_INTERNAL "") -set(CMAKE_C_COMPILER_WRAPPER "") -set(CMAKE_C_STANDARD_COMPUTED_DEFAULT "17") -set(CMAKE_C_EXTENSIONS_COMPUTED_DEFAULT "ON") -set(CMAKE_C_COMPILE_FEATURES "c_std_90;c_function_prototypes;c_std_99;c_restrict;c_variadic_macros;c_std_11;c_static_assert;c_std_17;c_std_23") -set(CMAKE_C90_COMPILE_FEATURES "c_std_90;c_function_prototypes") -set(CMAKE_C99_COMPILE_FEATURES "c_std_99;c_restrict;c_variadic_macros") -set(CMAKE_C11_COMPILE_FEATURES "c_std_11;c_static_assert") -set(CMAKE_C17_COMPILE_FEATURES "c_std_17") -set(CMAKE_C23_COMPILE_FEATURES "c_std_23") - -set(CMAKE_C_PLATFORM_ID "Linux") -set(CMAKE_C_SIMULATE_ID "") -set(CMAKE_C_COMPILER_FRONTEND_VARIANT "GNU") -set(CMAKE_C_SIMULATE_VERSION "") - - - - -set(CMAKE_AR "/usr/bin/ar") -set(CMAKE_C_COMPILER_AR "/usr/bin/gcc-ar") -set(CMAKE_RANLIB "/usr/bin/ranlib") -set(CMAKE_C_COMPILER_RANLIB "/usr/bin/gcc-ranlib") -set(CMAKE_LINKER "/usr/bin/ld") -set(CMAKE_MT "") -set(CMAKE_COMPILER_IS_GNUCC 1) -set(CMAKE_C_COMPILER_LOADED 1) -set(CMAKE_C_COMPILER_WORKS TRUE) -set(CMAKE_C_ABI_COMPILED TRUE) - -set(CMAKE_C_COMPILER_ENV_VAR "CC") - -set(CMAKE_C_COMPILER_ID_RUN 1) -set(CMAKE_C_SOURCE_FILE_EXTENSIONS c;m) -set(CMAKE_C_IGNORE_EXTENSIONS h;H;o;O;obj;OBJ;def;DEF;rc;RC) -set(CMAKE_C_LINKER_PREFERENCE 10) - -# Save compiler ABI information. -set(CMAKE_C_SIZEOF_DATA_PTR "8") -set(CMAKE_C_COMPILER_ABI "ELF") -set(CMAKE_C_BYTE_ORDER "LITTLE_ENDIAN") -set(CMAKE_C_LIBRARY_ARCHITECTURE "") - -if(CMAKE_C_SIZEOF_DATA_PTR) - set(CMAKE_SIZEOF_VOID_P "${CMAKE_C_SIZEOF_DATA_PTR}") -endif() - -if(CMAKE_C_COMPILER_ABI) - set(CMAKE_INTERNAL_PLATFORM_ABI "${CMAKE_C_COMPILER_ABI}") -endif() - -if(CMAKE_C_LIBRARY_ARCHITECTURE) - set(CMAKE_LIBRARY_ARCHITECTURE "") -endif() - -set(CMAKE_C_CL_SHOWINCLUDES_PREFIX "") -if(CMAKE_C_CL_SHOWINCLUDES_PREFIX) - set(CMAKE_CL_SHOWINCLUDES_PREFIX "${CMAKE_C_CL_SHOWINCLUDES_PREFIX}") -endif() - - - - - -set(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include") -set(CMAKE_C_IMPLICIT_LINK_LIBRARIES "gcc;gcc_s;c;gcc;gcc_s") -set(CMAKE_C_IMPLICIT_LINK_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib") -set(CMAKE_C_IMPLICIT_LINK_FRAMEWORK_DIRECTORIES "") diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin deleted file mode 100755 index df1625832f344f4ea52f49e2bf1d3d149e4684b9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80488 zcmeI3eQX@Zb->@onyJI-B@l$TS^Js$ge$4C6We-syv`d04%w6lJ&aI6^1Uk zGPBh!vIKWD>Ob{$an-F~TurMC%hT0kea*>HzHf^vqBK;7Wt89Vp&#}0&89|ecuuz$#id#IpC!-3y9)X2 zy9&7zg?w>x>V##LhsW+bovM^lZSJ`DV0@b6-of`l?CpD(zjkWt9V1U)`N72H`@iy& zueOcQ7^x2wk8CKBeS^xmc^VHjPrA9r83U4ceqwW7U3zo9VNe}SwHn7?pI+?fe(~oY z+S2*b*I)hPk8D44Y1=nnzW>0p?|t>!$?T8*?Z$`CAH4Y3(;s;#bN7>1o9nMW@QX{+ z=o*@+Kf6O}j-oCZqW@@w{ub1S#rbN4{RrwCp&8rgz}$NJAZ8n39~=zmKdkl50sUpA zuZ>edeG=mY?d=HrPousGcES8+19R@2l6)Aq-LL~E#h@bGt^Nai2_^ME*w3A)C;Mg{ zhx$k99^At0&!V2%UC{Qok};+~#Vw2vm?o~oVYA{`Wyc)1@SVC zaokg4xQEdHs6Vocq2+BTdH=pN_gUOk67YSkyQ0c*c$thb&99}EjNuNccXd_1;nCB6 z$!Wo(_aBGdbsNVxF*ZiIS+7shd*d{E^mHuXbkEVmi>r@*>r1N%m^%*e0bjnEFjihU3UjYx``Fwp%paUfU|k(|L?Yekl?AGT=DW z7z6f40KWUS-#+%k^!7jesR$~Rv1rS@EY-&Fj5wGCEo!FU(S z#(QP}-u+|jdlF{OT`0qQeznb5S$*_7RkqBJ#`7=O|Fw_74;FU8^EVT)vUV7r2V@bO zIXbtnYv%dn*oAh~A6qzVpgy*3LD$2=(Yc#g4^!4uX#Itj4eMhIEs^o5E$q`AG4igF z;QFBT?@j%KJws=|d;w96$s_h7ld!|WaG?(Z5*gQ{14*=ff% zOJzKEJUGyw$qaOx-Gg2I=|Qwm^;S0jAYMO_L+n7}ce_y1x$5fb+S>b3E~A`4+5E=Z z+7l@IP}1@536#&FypHk)%6XKyrd4XxGWN(hsGB+zJFxw*+LxPApTT(Qc$;oGMCaE# zaGOCLUvrQv`BOihKz%DIFp=&&Zl7m=%(viHz-=CNxRwFZC(=8UpR4X9zU1qLJy8H!QuigL8#Iol8KW*SSJ>Hn zXOi#e9em$AlWiwcZK<~8$<~u6Ti@M!SMnX_>|C548gwUIAiJh|A z0Q7phTgxz;K3(_z4QzN_KI566U|YOaujw@#*472xM)L+X9EW9C9Ij&-X2X4bc7r~1 zU%#jOL+ji(u8FqRyY57#?l;RMs#J1W*Ow=Y#e8uzIXXNXoGeIcQ#~*BRD6X?q(+~-vy|J&&wC3iluWve(m z<{8VGoIPSq7928>IhHw={aE&6IabTD8n2V&d`u@rO6uGx=VQ6%l4~w~y(`z%?vX*R ztJSel?w#b`N$#EG-bwDA|L?O*e%{YA>A#MX=hf-A{_|>{Tb44%HSZDL z^6w-J{oaY+(a9XYb?2Dgm(jb$n0qf7`i?6&-~7(Y^*I*${!PaVUF+CfWJ=&ej`p}w zQ=fo1WJ2``m?ZEHf{d%O&?|nTL3D^nz-r1vu1iopV*YA=2`bOy6Vt7?5pMWNq4b|@k z{?5bel)$&O{C$UCzX!s;KS;o>a9w|o;kVxl{GEnhzYm(B!>dyH1Zoe4>Z@<7eLe}; z56OT%E_tYfU#j=UUSsw0m)`6KIMZ_mdgFUKpm)C;X@buOxT)`7;yZxPh1`Z~zaREA z`^S|cgAn^3tq=Bx_6Z z9DcpoALnxs_Fs$8bDU>(`s2J1VgK(DdX6)&#~&vVN2rnWQhWS4sO^o={b)b@(*b|{ z)7qY|H`FBJzk4@qcR$=w?~hZ6u>Vwqp2vG*t3S?PM%cd)q31Y{H~QoJM}+-e`XD8e z=YDA2>yL9P!ak$*LC%kAeUK*~_k#9r|C``y;Q00o#@Xoj8I1oIXdlPpC+qje)R^Y@)@6pmAS9&bha7}V-{-sc1J?&@pL zze5-&Y&|fCg#d?P)$T4>*7`%bqaW4!X5DU5>o044yVmd2dS18u{hn59ZcWg>)nJv9 zf4*Tqo8aDn{a>keYxNW?Y`ot<`*_Ip*mrdQgX`h@%6z{;HS#I_Bv__^>o!9 zynaj6(>(5j;C0R}rLVp2`W@8A@yoN|^{3l@?e*tzwBJol2T~vElK~wSpHlkT>$e>0 z8$IisUCXF%!s}IDC;UC{C$)WWTpv^VeKpsCpNO#kthNtcPyQL|liUf9{0i#B#`|}u zr+)HvwVDp}doLc(X7zV`0G_KP~~4iewzRI4qx81I+FQX_k+Ou%?%;WAkY!wRT z!?tzN94V5nNV>9NrjJPq#m%(=<&@o9ANluTMNKGV*#)~gxJAD2tMI8rjR(}0bXNPGX%Z@rq8tTcFc`|kCG?@LFv*!9VU__dPjFqKMnb}H3 z`TEBQz4(ukRxaLQoXIm@xM6^@feW|GQv!NTZxsaW;5vZb<9ZMy9)Y?zFCI>fq? zqLZ@6^vWB{p)Z$Q4|fT=9-PO()_5LIS)+6w!hb2%fEx_SKnnMSaa`bTztqrDmgAK3 z*+~cYp8uspzjun^Mz?X4+T#WZlu7{q9?C7bwwxz<6gT>f5&QG=&5TyGkdY_xbq1@{ zPe8E1{`{O{N-L6VsAbT<3-$krze!^Mr{adPd`c@WsM7lTM7}Q7Y8b@KHr&{MIc{JH z@cF6|aGl^_qTgFkmi?PaiRt%o!&{iDKmYFQn(pXpWaLRYTvbEQx$wsp)&BEy+ArYs z5T&=f0(7z34)^yW*3)mcxXjOU=e0wt_7C=7tAU=UQCHa?HW_XeIbiB@MYa9l_#el5 z^6$`g{Cv1C#Gjti2mSvDb;LxQSFht|wSs?dr^BnZI8XB9xOx5gdGmAH|6Z>#=GAYI zJh~?X{?K5!wfcv1R{|5JYh4@s|1@si_WAks6+KX1C+tA1yy+P%kU#V1>+yN*|B%-h z^UROcU&M^ppYNyo^bh;G*ig%0`+pPg=jZ0L+W+qZ{=xRIVLjc$(mp_mpRX^jy5*of zmsx%f&FFVj?9b2Pm)@lR4fLg{W`BNOzpVY|_5AVr;&yo*+(ch8VSj$Ee_cOOPhy=n zu|Lb#vC`|$&;J*-Kkt7WgZ)_kBH+*WbNl99SloZU-#Yjv{r^kH z4EB@#Q`MH-47blRff?FWX0#pOHxB6b_vi;Ac;~26aQ#snUi;cai3^9^7RIzA9S8mZ pH|ECs6)jU9yK>b3t{>Mu>24 & 0x00FF) -# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF) -# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__ & 0xFFFF) - -#elif defined(__BORLANDC__) -# define COMPILER_ID "Borland" - /* __BORLANDC__ = 0xVRR */ -# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8) -# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF) - -#elif defined(__WATCOMC__) && __WATCOMC__ < 1200 -# define COMPILER_ID "Watcom" - /* __WATCOMC__ = VVRR */ -# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100) -# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) -# if (__WATCOMC__ % 10) > 0 -# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) -# endif - -#elif defined(__WATCOMC__) -# define COMPILER_ID "OpenWatcom" - /* __WATCOMC__ = VVRP + 1100 */ -# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100) -# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) -# if (__WATCOMC__ % 10) > 0 -# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) -# endif - -#elif defined(__SUNPRO_C) -# define COMPILER_ID "SunPro" -# if __SUNPRO_C >= 0x5100 - /* __SUNPRO_C = 0xVRRP */ -# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>12) -# define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xFF) -# define COMPILER_VERSION_PATCH HEX(__SUNPRO_C & 0xF) -# else - /* __SUNPRO_CC = 0xVRP */ -# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>8) -# define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xF) -# define COMPILER_VERSION_PATCH HEX(__SUNPRO_C & 0xF) -# endif - -#elif defined(__HP_cc) -# define COMPILER_ID "HP" - /* __HP_cc = VVRRPP */ -# define COMPILER_VERSION_MAJOR DEC(__HP_cc/10000) -# define COMPILER_VERSION_MINOR DEC(__HP_cc/100 % 100) -# define COMPILER_VERSION_PATCH DEC(__HP_cc % 100) - -#elif defined(__DECC) -# define COMPILER_ID "Compaq" - /* __DECC_VER = VVRRTPPPP */ -# define COMPILER_VERSION_MAJOR DEC(__DECC_VER/10000000) -# define COMPILER_VERSION_MINOR DEC(__DECC_VER/100000 % 100) -# define COMPILER_VERSION_PATCH DEC(__DECC_VER % 10000) - -#elif defined(__IBMC__) && defined(__COMPILER_VER__) -# define COMPILER_ID "zOS" - /* __IBMC__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) - -#elif defined(__open_xl__) && defined(__clang__) -# define COMPILER_ID "IBMClang" -# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__) -# define COMPILER_VERSION_MINOR DEC(__open_xl_release__) -# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__) -# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__) - - -#elif defined(__ibmxl__) && defined(__clang__) -# define COMPILER_ID "XLClang" -# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__) -# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__) -# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__) -# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__) - - -#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ >= 800 -# define COMPILER_ID "XL" - /* __IBMC__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) - -#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ < 800 -# define COMPILER_ID "VisualAge" - /* __IBMC__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMC__ % 10) - -#elif defined(__NVCOMPILER) -# define COMPILER_ID "NVHPC" -# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__) -# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__) -# if defined(__NVCOMPILER_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__) -# endif - -#elif defined(__PGI) -# define COMPILER_ID "PGI" -# define COMPILER_VERSION_MAJOR DEC(__PGIC__) -# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__) -# if defined(__PGIC_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__) -# endif - -#elif defined(_CRAYC) -# define COMPILER_ID "Cray" -# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR) -# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR) - -#elif defined(__TI_COMPILER_VERSION__) -# define COMPILER_ID "TI" - /* __TI_COMPILER_VERSION__ = VVVRRRPPP */ -# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000) -# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000 % 1000) -# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__ % 1000) - -#elif defined(__CLANG_FUJITSU) -# define COMPILER_ID "FujitsuClang" -# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) -# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) -# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) -# define COMPILER_VERSION_INTERNAL_STR __clang_version__ - - -#elif defined(__FUJITSU) -# define COMPILER_ID "Fujitsu" -# if defined(__FCC_version__) -# define COMPILER_VERSION __FCC_version__ -# elif defined(__FCC_major__) -# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) -# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) -# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) -# endif -# if defined(__fcc_version) -# define COMPILER_VERSION_INTERNAL DEC(__fcc_version) -# elif defined(__FCC_VERSION) -# define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION) -# endif - - -#elif defined(__ghs__) -# define COMPILER_ID "GHS" -/* __GHS_VERSION_NUMBER = VVVVRP */ -# ifdef __GHS_VERSION_NUMBER -# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100) -# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10) -# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER % 10) -# endif - -#elif defined(__TASKING__) -# define COMPILER_ID "Tasking" - # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000) - # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100) -# define COMPILER_VERSION_INTERNAL DEC(__VERSION__) - -#elif defined(__TINYC__) -# define COMPILER_ID "TinyCC" - -#elif defined(__BCC__) -# define COMPILER_ID "Bruce" - -#elif defined(__SCO_VERSION__) -# define COMPILER_ID "SCO" - -#elif defined(__ARMCC_VERSION) && !defined(__clang__) -# define COMPILER_ID "ARMCC" -#if __ARMCC_VERSION >= 1000000 - /* __ARMCC_VERSION = VRRPPPP */ - # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000) - # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100) - # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) -#else - /* __ARMCC_VERSION = VRPPPP */ - # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000) - # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10) - # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) -#endif - - -#elif defined(__clang__) && defined(__apple_build_version__) -# define COMPILER_ID "AppleClang" -# if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -# endif -# define COMPILER_VERSION_MAJOR DEC(__clang_major__) -# define COMPILER_VERSION_MINOR DEC(__clang_minor__) -# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) -# if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -# endif -# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__) - -#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION) -# define COMPILER_ID "ARMClang" - # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000) - # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100) - # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION % 10000) -# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION) - -#elif defined(__clang__) -# define COMPILER_ID "Clang" -# if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -# endif -# define COMPILER_VERSION_MAJOR DEC(__clang_major__) -# define COMPILER_VERSION_MINOR DEC(__clang_minor__) -# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) -# if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -# endif - -#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__)) -# define COMPILER_ID "LCC" -# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100) -# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100) -# if defined(__LCC_MINOR__) -# define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__) -# endif -# if defined(__GNUC__) && defined(__GNUC_MINOR__) -# define SIMULATE_ID "GNU" -# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) -# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) -# if defined(__GNUC_PATCHLEVEL__) -# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -# endif -# endif - -#elif defined(__GNUC__) -# define COMPILER_ID "GNU" -# define COMPILER_VERSION_MAJOR DEC(__GNUC__) -# if defined(__GNUC_MINOR__) -# define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__) -# endif -# if defined(__GNUC_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -# endif - -#elif defined(_MSC_VER) -# define COMPILER_ID "MSVC" - /* _MSC_VER = VVRR */ -# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100) -# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100) -# if defined(_MSC_FULL_VER) -# if _MSC_VER >= 1400 - /* _MSC_FULL_VER = VVRRPPPPP */ -# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000) -# else - /* _MSC_FULL_VER = VVRRPPPP */ -# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000) -# endif -# endif -# if defined(_MSC_BUILD) -# define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD) -# endif - -#elif defined(_ADI_COMPILER) -# define COMPILER_ID "ADSP" -#if defined(__VERSIONNUM__) - /* __VERSIONNUM__ = 0xVVRRPPTT */ -# define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF) -# define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF) -# define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF) -# define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF) -#endif - -#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) -# define COMPILER_ID "IAR" -# if defined(__VER__) && defined(__ICCARM__) -# define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000) -# define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000) -# define COMPILER_VERSION_PATCH DEC((__VER__) % 1000) -# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) -# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__)) -# define COMPILER_VERSION_MAJOR DEC((__VER__) / 100) -# define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100)) -# define COMPILER_VERSION_PATCH DEC(__SUBVERSION__) -# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) -# endif - -#elif defined(__SDCC_VERSION_MAJOR) || defined(SDCC) -# define COMPILER_ID "SDCC" -# if defined(__SDCC_VERSION_MAJOR) -# define COMPILER_VERSION_MAJOR DEC(__SDCC_VERSION_MAJOR) -# define COMPILER_VERSION_MINOR DEC(__SDCC_VERSION_MINOR) -# define COMPILER_VERSION_PATCH DEC(__SDCC_VERSION_PATCH) -# else - /* SDCC = VRP */ -# define COMPILER_VERSION_MAJOR DEC(SDCC/100) -# define COMPILER_VERSION_MINOR DEC(SDCC/10 % 10) -# define COMPILER_VERSION_PATCH DEC(SDCC % 10) -# endif - - -/* These compilers are either not known or too old to define an - identification macro. Try to identify the platform and guess that - it is the native compiler. */ -#elif defined(__hpux) || defined(__hpua) -# define COMPILER_ID "HP" - -#else /* unknown compiler */ -# define COMPILER_ID "" -#endif - -/* Construct the string literal in pieces to prevent the source from - getting matched. Store it in a pointer rather than an array - because some compilers will just produce instructions to fill the - array rather than assigning a pointer to a static array. */ -char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]"; -#ifdef SIMULATE_ID -char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]"; -#endif - -#ifdef __QNXNTO__ -char const* qnxnto = "INFO" ":" "qnxnto[]"; -#endif - -#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) -char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]"; -#endif - -#define STRINGIFY_HELPER(X) #X -#define STRINGIFY(X) STRINGIFY_HELPER(X) - -/* Identify known platforms by name. */ -#if defined(__linux) || defined(__linux__) || defined(linux) -# define PLATFORM_ID "Linux" - -#elif defined(__MSYS__) -# define PLATFORM_ID "MSYS" - -#elif defined(__CYGWIN__) -# define PLATFORM_ID "Cygwin" - -#elif defined(__MINGW32__) -# define PLATFORM_ID "MinGW" - -#elif defined(__APPLE__) -# define PLATFORM_ID "Darwin" - -#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) -# define PLATFORM_ID "Windows" - -#elif defined(__FreeBSD__) || defined(__FreeBSD) -# define PLATFORM_ID "FreeBSD" - -#elif defined(__NetBSD__) || defined(__NetBSD) -# define PLATFORM_ID "NetBSD" - -#elif defined(__OpenBSD__) || defined(__OPENBSD) -# define PLATFORM_ID "OpenBSD" - -#elif defined(__sun) || defined(sun) -# define PLATFORM_ID "SunOS" - -#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__) -# define PLATFORM_ID "AIX" - -#elif defined(__hpux) || defined(__hpux__) -# define PLATFORM_ID "HP-UX" - -#elif defined(__HAIKU__) -# define PLATFORM_ID "Haiku" - -#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS) -# define PLATFORM_ID "BeOS" - -#elif defined(__QNX__) || defined(__QNXNTO__) -# define PLATFORM_ID "QNX" - -#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__) -# define PLATFORM_ID "Tru64" - -#elif defined(__riscos) || defined(__riscos__) -# define PLATFORM_ID "RISCos" - -#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__) -# define PLATFORM_ID "SINIX" - -#elif defined(__UNIX_SV__) -# define PLATFORM_ID "UNIX_SV" - -#elif defined(__bsdos__) -# define PLATFORM_ID "BSDOS" - -#elif defined(_MPRAS) || defined(MPRAS) -# define PLATFORM_ID "MP-RAS" - -#elif defined(__osf) || defined(__osf__) -# define PLATFORM_ID "OSF1" - -#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv) -# define PLATFORM_ID "SCO_SV" - -#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX) -# define PLATFORM_ID "ULTRIX" - -#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX) -# define PLATFORM_ID "Xenix" - -#elif defined(__WATCOMC__) -# if defined(__LINUX__) -# define PLATFORM_ID "Linux" - -# elif defined(__DOS__) -# define PLATFORM_ID "DOS" - -# elif defined(__OS2__) -# define PLATFORM_ID "OS2" - -# elif defined(__WINDOWS__) -# define PLATFORM_ID "Windows3x" - -# elif defined(__VXWORKS__) -# define PLATFORM_ID "VxWorks" - -# else /* unknown platform */ -# define PLATFORM_ID -# endif - -#elif defined(__INTEGRITY) -# if defined(INT_178B) -# define PLATFORM_ID "Integrity178" - -# else /* regular Integrity */ -# define PLATFORM_ID "Integrity" -# endif - -# elif defined(_ADI_COMPILER) -# define PLATFORM_ID "ADSP" - -#else /* unknown platform */ -# define PLATFORM_ID - -#endif - -/* For windows compilers MSVC and Intel we can determine - the architecture of the compiler being used. This is because - the compilers do not have flags that can change the architecture, - but rather depend on which compiler is being used -*/ -#if defined(_WIN32) && defined(_MSC_VER) -# if defined(_M_IA64) -# define ARCHITECTURE_ID "IA64" - -# elif defined(_M_ARM64EC) -# define ARCHITECTURE_ID "ARM64EC" - -# elif defined(_M_X64) || defined(_M_AMD64) -# define ARCHITECTURE_ID "x64" - -# elif defined(_M_IX86) -# define ARCHITECTURE_ID "X86" - -# elif defined(_M_ARM64) -# define ARCHITECTURE_ID "ARM64" - -# elif defined(_M_ARM) -# if _M_ARM == 4 -# define ARCHITECTURE_ID "ARMV4I" -# elif _M_ARM == 5 -# define ARCHITECTURE_ID "ARMV5I" -# else -# define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM) -# endif - -# elif defined(_M_MIPS) -# define ARCHITECTURE_ID "MIPS" - -# elif defined(_M_SH) -# define ARCHITECTURE_ID "SHx" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__WATCOMC__) -# if defined(_M_I86) -# define ARCHITECTURE_ID "I86" - -# elif defined(_M_IX86) -# define ARCHITECTURE_ID "X86" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) -# if defined(__ICCARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__ICCRX__) -# define ARCHITECTURE_ID "RX" - -# elif defined(__ICCRH850__) -# define ARCHITECTURE_ID "RH850" - -# elif defined(__ICCRL78__) -# define ARCHITECTURE_ID "RL78" - -# elif defined(__ICCRISCV__) -# define ARCHITECTURE_ID "RISCV" - -# elif defined(__ICCAVR__) -# define ARCHITECTURE_ID "AVR" - -# elif defined(__ICC430__) -# define ARCHITECTURE_ID "MSP430" - -# elif defined(__ICCV850__) -# define ARCHITECTURE_ID "V850" - -# elif defined(__ICC8051__) -# define ARCHITECTURE_ID "8051" - -# elif defined(__ICCSTM8__) -# define ARCHITECTURE_ID "STM8" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__ghs__) -# if defined(__PPC64__) -# define ARCHITECTURE_ID "PPC64" - -# elif defined(__ppc__) -# define ARCHITECTURE_ID "PPC" - -# elif defined(__ARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__x86_64__) -# define ARCHITECTURE_ID "x64" - -# elif defined(__i386__) -# define ARCHITECTURE_ID "X86" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__TI_COMPILER_VERSION__) -# if defined(__TI_ARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__MSP430__) -# define ARCHITECTURE_ID "MSP430" - -# elif defined(__TMS320C28XX__) -# define ARCHITECTURE_ID "TMS320C28x" - -# elif defined(__TMS320C6X__) || defined(_TMS320C6X) -# define ARCHITECTURE_ID "TMS320C6x" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -# elif defined(__ADSPSHARC__) -# define ARCHITECTURE_ID "SHARC" - -# elif defined(__ADSPBLACKFIN__) -# define ARCHITECTURE_ID "Blackfin" - -#elif defined(__TASKING__) - -# if defined(__CTC__) || defined(__CPTC__) -# define ARCHITECTURE_ID "TriCore" - -# elif defined(__CMCS__) -# define ARCHITECTURE_ID "MCS" - -# elif defined(__CARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__CARC__) -# define ARCHITECTURE_ID "ARC" - -# elif defined(__C51__) -# define ARCHITECTURE_ID "8051" - -# elif defined(__CPCP__) -# define ARCHITECTURE_ID "PCP" - -# else -# define ARCHITECTURE_ID "" -# endif - -#else -# define ARCHITECTURE_ID -#endif - -/* Convert integer to decimal digit literals. */ -#define DEC(n) \ - ('0' + (((n) / 10000000)%10)), \ - ('0' + (((n) / 1000000)%10)), \ - ('0' + (((n) / 100000)%10)), \ - ('0' + (((n) / 10000)%10)), \ - ('0' + (((n) / 1000)%10)), \ - ('0' + (((n) / 100)%10)), \ - ('0' + (((n) / 10)%10)), \ - ('0' + ((n) % 10)) - -/* Convert integer to hex digit literals. */ -#define HEX(n) \ - ('0' + ((n)>>28 & 0xF)), \ - ('0' + ((n)>>24 & 0xF)), \ - ('0' + ((n)>>20 & 0xF)), \ - ('0' + ((n)>>16 & 0xF)), \ - ('0' + ((n)>>12 & 0xF)), \ - ('0' + ((n)>>8 & 0xF)), \ - ('0' + ((n)>>4 & 0xF)), \ - ('0' + ((n) & 0xF)) - -/* Construct a string literal encoding the version number. */ -#ifdef COMPILER_VERSION -char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]"; - -/* Construct a string literal encoding the version number components. */ -#elif defined(COMPILER_VERSION_MAJOR) -char const info_version[] = { - 'I', 'N', 'F', 'O', ':', - 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[', - COMPILER_VERSION_MAJOR, -# ifdef COMPILER_VERSION_MINOR - '.', COMPILER_VERSION_MINOR, -# ifdef COMPILER_VERSION_PATCH - '.', COMPILER_VERSION_PATCH, -# ifdef COMPILER_VERSION_TWEAK - '.', COMPILER_VERSION_TWEAK, -# endif -# endif -# endif - ']','\0'}; -#endif - -/* Construct a string literal encoding the internal version number. */ -#ifdef COMPILER_VERSION_INTERNAL -char const info_version_internal[] = { - 'I', 'N', 'F', 'O', ':', - 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_', - 'i','n','t','e','r','n','a','l','[', - COMPILER_VERSION_INTERNAL,']','\0'}; -#elif defined(COMPILER_VERSION_INTERNAL_STR) -char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]"; -#endif - -/* Construct a string literal encoding the version number components. */ -#ifdef SIMULATE_VERSION_MAJOR -char const info_simulate_version[] = { - 'I', 'N', 'F', 'O', ':', - 's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[', - SIMULATE_VERSION_MAJOR, -# ifdef SIMULATE_VERSION_MINOR - '.', SIMULATE_VERSION_MINOR, -# ifdef SIMULATE_VERSION_PATCH - '.', SIMULATE_VERSION_PATCH, -# ifdef SIMULATE_VERSION_TWEAK - '.', SIMULATE_VERSION_TWEAK, -# endif -# endif -# endif - ']','\0'}; -#endif - -/* Construct the string literal in pieces to prevent the source from - getting matched. Store it in a pointer rather than an array - because some compilers will just produce instructions to fill the - array rather than assigning a pointer to a static array. */ -char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]"; -char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]"; - - - -#if !defined(__STDC__) && !defined(__clang__) -# if defined(_MSC_VER) || defined(__ibmxl__) || defined(__IBMC__) -# define C_VERSION "90" -# else -# define C_VERSION -# endif -#elif __STDC_VERSION__ > 201710L -# define C_VERSION "23" -#elif __STDC_VERSION__ >= 201710L -# define C_VERSION "17" -#elif __STDC_VERSION__ >= 201000L -# define C_VERSION "11" -#elif __STDC_VERSION__ >= 199901L -# define C_VERSION "99" -#else -# define C_VERSION "90" -#endif -const char* info_language_standard_default = - "INFO" ":" "standard_default[" C_VERSION "]"; - -const char* info_language_extensions_default = "INFO" ":" "extensions_default[" -#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) || \ - defined(__TI_COMPILER_VERSION__)) && \ - !defined(__STRICT_ANSI__) - "ON" -#else - "OFF" -#endif -"]"; - -/*--------------------------------------------------------------------------*/ - -#ifdef ID_VOID_MAIN -void main() {} -#else -# if defined(__CLASSIC_C__) -int main(argc, argv) int argc; char *argv[]; -# else -int main(int argc, char* argv[]) -# endif -{ - int require = 0; - require += info_compiler[argc]; - require += info_platform[argc]; - require += info_arch[argc]; -#ifdef COMPILER_VERSION_MAJOR - require += info_version[argc]; -#endif -#ifdef COMPILER_VERSION_INTERNAL - require += info_version_internal[argc]; -#endif -#ifdef SIMULATE_ID - require += info_simulate[argc]; -#endif -#ifdef SIMULATE_VERSION_MAJOR - require += info_simulate_version[argc]; -#endif -#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) - require += info_cray[argc]; -#endif - require += info_language_standard_default[argc]; - require += info_language_extensions_default[argc]; - (void)argv; - return require; -} -#endif diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out deleted file mode 100755 index 59cce56d0864b921fa3ad5b3107537b269645584..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80632 zcmeI3eQX@Zb->@=T=6v*jn?`}yR zblfBMmJSsMHIw*{v4y z7M96rIlNA1S%T_~{-w5FU)JTvgCKu_}w&qEU%b`vE=?y-)NgK z@g~w1<|uEGfMNB!BFUE0@z;V9?H@FO4z9IGjd?9w`TYs{Q9Exnbs57GroL8Owwd;` z5j%x2xyJ z|MaDs&p-d#0}GwhM`{DbBO6L&-=X%jp31mBqkdaK_L~!|9ztC2F7UQk+r? zd$4UJQnYJ<;|KPPQ})0qRQ&)*OI#j=kt1V+Lw0|z??7XB-+r*iCXU)A*LSDNwZQc! zjt*6-o;%?bDlW#HnyGpwrmamA4FS?fDuo1@R|++EVOx2epI-bcoE{mt-{>x>d>V3? zr*x&BS2BeI(>MfBb2X%=@!@nWq>mntgUTe0akwp{SPLuqaGb7?p5_FnNAAzOy!^xu zzOtNwMI5{H%TN69nIE9;a>o8C+mO70HaAdozcsSd_39&w+4Rnz?#yOh=B+CQ=epC@ zQdb&OnaZ!h{C%PPZI~a_`Ecx8*|&Q#FW(CbFYdtYwG4dqm5jCY>iw|z3v4&~pMxuR zEM~B*4Y!}w>rek2H}V+(*g|cjed^OS>;t?$vSa~V`j>irE9s~lA)bS5Y7v*{bGuMJ z0`SYrxQx7l_Pef+EIDX@Ba`|nV80ccnEft*AK&-plRwF?|M;hOy_x^q57GWr^c}o0 zvQ$vM>4q=Wr@4P$asPEEEZvUrPT!Y*XaV58)c!0ioH%`7>Y-nET1(4M{9R*Am^bz3 z-?9DmPr^T6+XTI1X>qe(DSMeUZi@Jcr}+myXYH8asA){NZAC zX0}{${ZqIiepr`A^!DSfUn^I=Q@twn_2=|XZ(n1_xPkJUtvJDC)t@r?8ZC!lS9N9ykNJC$x5mi_IU_4+}S zknh+*=aYBib_I2Oj-?{U&9niFDMK->^UK_uxkD%3?bPP(prheq;8FZGV#) z{9JnU-+uO!ji^C2)pH)V0kjL(LwaieZq&D>a0k7g+=x<=5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@ zLO=)z0U;m+gn$tEe?Z{)8cX$}%gB`J(_KccH}XQ8rS>+M{9_$D&vw_B^Qz=-Q@+;7 z?MB`(<@dzOfBROwN~#NKiv+Z*Ux3k!rS{gC{IhADzs=%TQ9BBW^QX>+Dykpq+hdry$2qI21n+ZC8(4%>vn(6 z^UB^-cB)v64;EyV;fk%}dDTMMOSI)Rf#c3r=BCipb7tI!v&NCa@v*Dz_Kb{w5Gw6> zfUb$uwI@x-@TQ3FUA4d|p0SG+r#206d!%enanhdktASe#%2khI^O|MqIXr%1V(jpT zpiXXgMtt8ja%609=;TQ||LCKK&}#hHqgWnmPY1Q9J>s{EhBqFoI#UkpNgsP{&sNJ` z;QDA2Ys(s3A5Va9J;%AQIT~jJ4H)uC=Fq$j>_Ph!&S+jAvQ!_Y{U#1y zr)Vtz*SmXrwBF$s_9s_u&vuy4MB`Li*gw@m&+X}17mf497WUt5q31YPHb&#T*uwrl zTIe~>$F@Y{WYS2m<+wDjKld1WKDWgAufHc6f4{NkYYw(QzG}VO;j#8;oJtG(&$Q5U zf7f?C+$HQd;ud4yW&o#@W}xe!}SEoS!iII8R>p;`X}z z-SA9oeY=QpR$D*g@xP4rX->*Q`{Vi-jQ&c@UUS<73$gR>zZ!e~PLtd7E7Ye#=QTPEDd{-P=hmOx z)13KxP#uNiG@r+N(LM#udLH-7v2oY>=JW43#z~qF%z?i%jJ9VhWMk)Lo`?KRUevxD zcCWKorDS2%db`1j*`HDUZPrt;r1qax_RZHbpFllbLC3G7{!-aDU+3t4HDA|#4ed8m zs91Ud_1Tz?vK#P&wJgqx_;u0G(Y`A*e;Tf6Px|=v&l}2qYtwbq616AYeB9Md{CJ#B z6~DPX+f+Lnt!V805$e0s&Bw)l)F*K`ME3aAAYaE~GgO*T`mM0r%pc7cpkVY?O#jEY z-X?MQB-M-SEw6hVr%fDi-Y=N=Ja5_lE2vM3|1G1BU$0VMDL&8hHgmu~Pw~^u zQ!J@LHQVJY)|<8+78Z-w4id?@-sU#<#0^I+Q_ z@ts+F#wmNyQ-YlNRK<1*W!uB=G;_ryo$Y#wwz=tQ(8|75S#Hj&l+U=8vn?H0Gsxk` zrhYIt+tPWJ@|-(gZrxl}Xe$tbGqn=G?3IHs6`hX~(Yk1lSL~AX2^2yO%>+yhO}z^_ zwJ3}AI^+<=f$l-MX!~xZS`7C$s*m-ID9$UJXB8wu2e`+`8(yH9Ve6ReP#ZEjSgs6jc41?aa+Xu{twbaRaxM>rJ+> zCvhIwj_*5Xu}gt}7WB8#rMa1zv*;4a*)(G!rb9=aGw#q3)={pw{#XfT3pSGmxQeca zPvnmtvJV{_wr#M7KXfdAbZiLK_^$)|(5NXL9X*JIMdIiOYL&9oQz*MXw{Jh#V-rX16$}$chX}%iQ>eJ;Sg6&EABJ&DPT+v*rYXYq zQHyLU&~})anyGp#PIjqQwWl4ggz=n0)ejn#_Z`5>$I-G>_UyTuTY|DTS+!>?PB2;Z zXLPROcvExElxw^5NTY@yyw|X``YZ7k!>=7_xCkXSh+Em{4C=6-hNr5uQ4K=!N{(Mz zsf76OB#F|YLDZE!?)ua;opJo)G(fI)b|!ENC<9;1Y2H(x%HwLQ&J9!ET&^%zu9Wtc z@pPb6`N6ThYPqDcY5E61u5{MJcv=QNHMVosOPmvh=f&rt2b`xw}nDdQP!icVAblT#JwU`QBpNPY(Aziy=JTFwaq zzg(CL@ZkF2Ci?#sT@ui3BBg<}MFOP~!2i$EIc>}PB=5(q12^{P=cf}!(L+X|#Mf1< z!oQhB{P{V`yz$Snp^+)kEf(1!j)#(92TeAW2(swnzDDdF}THPG`qV#@yfTzRblJ!%ZO{&@eNGX8_c zj-NjtPw=OA0dfD&qK?{ymxU_vbLtDmpU2M>tG4n!$v?*}?9b1$FB|{kVPo8%puoiQMCUYX-Y0nxH}YrxeE%_T{Qn-y z!io8@?it((`}2L`L1Q?~hDI7J4ehsM{`_2i!T7&j{g=^yBW`B8HJ;yJUq&USczZd| z@*mNL{;S3Q{G9*BE&5+YUz$7Y&+h|n8viQ<2NTaPu9xS*D_BM*?9cBFUNBGWvse~R z?9cKSSQz%__Y2pJKOcV_gZ)_kXUw1Px3{UNfcHt!#D1*(E$)zx+t2rZqsBjOZ*Z_X z{5S5AE?y7&tM>&BYi&zej+4P1nyL$=#KiaQ^TuM!4z1^Rdhz*3ad_@)OZ|Iphpyq9 x#*x;6$8qES@Nq@|r{%tDPyK7XTl??ifj5O(yJFdmyGj0bzqY(9<`B!m{{a6BpB4ZB diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp deleted file mode 100644 index 746b1672e640..000000000000 --- a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp +++ /dev/null @@ -1,855 +0,0 @@ -/* This source file must have a .cpp extension so that all C++ compilers - recognize the extension without flags. Borland does not know .cxx for - example. */ -#ifndef __cplusplus -# error "A C compiler has been selected for C++." -#endif - -#if !defined(__has_include) -/* If the compiler does not have __has_include, pretend the answer is - always no. */ -# define __has_include(x) 0 -#endif - - -/* Version number components: V=Version, R=Revision, P=Patch - Version date components: YYYY=Year, MM=Month, DD=Day */ - -#if defined(__COMO__) -# define COMPILER_ID "Comeau" - /* __COMO_VERSION__ = VRR */ -# define COMPILER_VERSION_MAJOR DEC(__COMO_VERSION__ / 100) -# define COMPILER_VERSION_MINOR DEC(__COMO_VERSION__ % 100) - -#elif defined(__INTEL_COMPILER) || defined(__ICC) -# define COMPILER_ID "Intel" -# if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -# endif -# if defined(__GNUC__) -# define SIMULATE_ID "GNU" -# endif - /* __INTEL_COMPILER = VRP prior to 2021, and then VVVV for 2021 and later, - except that a few beta releases use the old format with V=2021. */ -# if __INTEL_COMPILER < 2021 || __INTEL_COMPILER == 202110 || __INTEL_COMPILER == 202111 -# define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER/100) -# define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER/10 % 10) -# if defined(__INTEL_COMPILER_UPDATE) -# define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER_UPDATE) -# else -# define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER % 10) -# endif -# else -# define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER) -# define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER_UPDATE) - /* The third version component from --version is an update index, - but no macro is provided for it. */ -# define COMPILER_VERSION_PATCH DEC(0) -# endif -# if defined(__INTEL_COMPILER_BUILD_DATE) - /* __INTEL_COMPILER_BUILD_DATE = YYYYMMDD */ -# define COMPILER_VERSION_TWEAK DEC(__INTEL_COMPILER_BUILD_DATE) -# endif -# if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -# endif -# if defined(__GNUC__) -# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) -# elif defined(__GNUG__) -# define SIMULATE_VERSION_MAJOR DEC(__GNUG__) -# endif -# if defined(__GNUC_MINOR__) -# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) -# endif -# if defined(__GNUC_PATCHLEVEL__) -# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -# endif - -#elif (defined(__clang__) && defined(__INTEL_CLANG_COMPILER)) || defined(__INTEL_LLVM_COMPILER) -# define COMPILER_ID "IntelLLVM" -#if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -#endif -#if defined(__GNUC__) -# define SIMULATE_ID "GNU" -#endif -/* __INTEL_LLVM_COMPILER = VVVVRP prior to 2021.2.0, VVVVRRPP for 2021.2.0 and - * later. Look for 6 digit vs. 8 digit version number to decide encoding. - * VVVV is no smaller than the current year when a version is released. - */ -#if __INTEL_LLVM_COMPILER < 1000000L -# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/100) -# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER % 10) -#else -# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/10000) -# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/100 % 100) -# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER % 100) -#endif -#if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -#endif -#if defined(__GNUC__) -# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) -#elif defined(__GNUG__) -# define SIMULATE_VERSION_MAJOR DEC(__GNUG__) -#endif -#if defined(__GNUC_MINOR__) -# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) -#endif -#if defined(__GNUC_PATCHLEVEL__) -# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -#endif - -#elif defined(__PATHCC__) -# define COMPILER_ID "PathScale" -# define COMPILER_VERSION_MAJOR DEC(__PATHCC__) -# define COMPILER_VERSION_MINOR DEC(__PATHCC_MINOR__) -# if defined(__PATHCC_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__PATHCC_PATCHLEVEL__) -# endif - -#elif defined(__BORLANDC__) && defined(__CODEGEARC_VERSION__) -# define COMPILER_ID "Embarcadero" -# define COMPILER_VERSION_MAJOR HEX(__CODEGEARC_VERSION__>>24 & 0x00FF) -# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF) -# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__ & 0xFFFF) - -#elif defined(__BORLANDC__) -# define COMPILER_ID "Borland" - /* __BORLANDC__ = 0xVRR */ -# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8) -# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF) - -#elif defined(__WATCOMC__) && __WATCOMC__ < 1200 -# define COMPILER_ID "Watcom" - /* __WATCOMC__ = VVRR */ -# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100) -# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) -# if (__WATCOMC__ % 10) > 0 -# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) -# endif - -#elif defined(__WATCOMC__) -# define COMPILER_ID "OpenWatcom" - /* __WATCOMC__ = VVRP + 1100 */ -# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100) -# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10) -# if (__WATCOMC__ % 10) > 0 -# define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10) -# endif - -#elif defined(__SUNPRO_CC) -# define COMPILER_ID "SunPro" -# if __SUNPRO_CC >= 0x5100 - /* __SUNPRO_CC = 0xVRRP */ -# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>12) -# define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xFF) -# define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC & 0xF) -# else - /* __SUNPRO_CC = 0xVRP */ -# define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>8) -# define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xF) -# define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC & 0xF) -# endif - -#elif defined(__HP_aCC) -# define COMPILER_ID "HP" - /* __HP_aCC = VVRRPP */ -# define COMPILER_VERSION_MAJOR DEC(__HP_aCC/10000) -# define COMPILER_VERSION_MINOR DEC(__HP_aCC/100 % 100) -# define COMPILER_VERSION_PATCH DEC(__HP_aCC % 100) - -#elif defined(__DECCXX) -# define COMPILER_ID "Compaq" - /* __DECCXX_VER = VVRRTPPPP */ -# define COMPILER_VERSION_MAJOR DEC(__DECCXX_VER/10000000) -# define COMPILER_VERSION_MINOR DEC(__DECCXX_VER/100000 % 100) -# define COMPILER_VERSION_PATCH DEC(__DECCXX_VER % 10000) - -#elif defined(__IBMCPP__) && defined(__COMPILER_VER__) -# define COMPILER_ID "zOS" - /* __IBMCPP__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) - -#elif defined(__open_xl__) && defined(__clang__) -# define COMPILER_ID "IBMClang" -# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__) -# define COMPILER_VERSION_MINOR DEC(__open_xl_release__) -# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__) -# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__) - - -#elif defined(__ibmxl__) && defined(__clang__) -# define COMPILER_ID "XLClang" -# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__) -# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__) -# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__) -# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__) - - -#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ >= 800 -# define COMPILER_ID "XL" - /* __IBMCPP__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) - -#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ < 800 -# define COMPILER_ID "VisualAge" - /* __IBMCPP__ = VRP */ -# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100) -# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10) -# define COMPILER_VERSION_PATCH DEC(__IBMCPP__ % 10) - -#elif defined(__NVCOMPILER) -# define COMPILER_ID "NVHPC" -# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__) -# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__) -# if defined(__NVCOMPILER_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__) -# endif - -#elif defined(__PGI) -# define COMPILER_ID "PGI" -# define COMPILER_VERSION_MAJOR DEC(__PGIC__) -# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__) -# if defined(__PGIC_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__) -# endif - -#elif defined(_CRAYC) -# define COMPILER_ID "Cray" -# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR) -# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR) - -#elif defined(__TI_COMPILER_VERSION__) -# define COMPILER_ID "TI" - /* __TI_COMPILER_VERSION__ = VVVRRRPPP */ -# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000) -# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000 % 1000) -# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__ % 1000) - -#elif defined(__CLANG_FUJITSU) -# define COMPILER_ID "FujitsuClang" -# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) -# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) -# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) -# define COMPILER_VERSION_INTERNAL_STR __clang_version__ - - -#elif defined(__FUJITSU) -# define COMPILER_ID "Fujitsu" -# if defined(__FCC_version__) -# define COMPILER_VERSION __FCC_version__ -# elif defined(__FCC_major__) -# define COMPILER_VERSION_MAJOR DEC(__FCC_major__) -# define COMPILER_VERSION_MINOR DEC(__FCC_minor__) -# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__) -# endif -# if defined(__fcc_version) -# define COMPILER_VERSION_INTERNAL DEC(__fcc_version) -# elif defined(__FCC_VERSION) -# define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION) -# endif - - -#elif defined(__ghs__) -# define COMPILER_ID "GHS" -/* __GHS_VERSION_NUMBER = VVVVRP */ -# ifdef __GHS_VERSION_NUMBER -# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100) -# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10) -# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER % 10) -# endif - -#elif defined(__TASKING__) -# define COMPILER_ID "Tasking" - # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000) - # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100) -# define COMPILER_VERSION_INTERNAL DEC(__VERSION__) - -#elif defined(__SCO_VERSION__) -# define COMPILER_ID "SCO" - -#elif defined(__ARMCC_VERSION) && !defined(__clang__) -# define COMPILER_ID "ARMCC" -#if __ARMCC_VERSION >= 1000000 - /* __ARMCC_VERSION = VRRPPPP */ - # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000) - # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100) - # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) -#else - /* __ARMCC_VERSION = VRPPPP */ - # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000) - # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10) - # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION % 10000) -#endif - - -#elif defined(__clang__) && defined(__apple_build_version__) -# define COMPILER_ID "AppleClang" -# if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -# endif -# define COMPILER_VERSION_MAJOR DEC(__clang_major__) -# define COMPILER_VERSION_MINOR DEC(__clang_minor__) -# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) -# if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -# endif -# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__) - -#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION) -# define COMPILER_ID "ARMClang" - # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000) - # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100) - # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION % 10000) -# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION) - -#elif defined(__clang__) -# define COMPILER_ID "Clang" -# if defined(_MSC_VER) -# define SIMULATE_ID "MSVC" -# endif -# define COMPILER_VERSION_MAJOR DEC(__clang_major__) -# define COMPILER_VERSION_MINOR DEC(__clang_minor__) -# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__) -# if defined(_MSC_VER) - /* _MSC_VER = VVRR */ -# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100) -# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100) -# endif - -#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__)) -# define COMPILER_ID "LCC" -# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100) -# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100) -# if defined(__LCC_MINOR__) -# define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__) -# endif -# if defined(__GNUC__) && defined(__GNUC_MINOR__) -# define SIMULATE_ID "GNU" -# define SIMULATE_VERSION_MAJOR DEC(__GNUC__) -# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__) -# if defined(__GNUC_PATCHLEVEL__) -# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -# endif -# endif - -#elif defined(__GNUC__) || defined(__GNUG__) -# define COMPILER_ID "GNU" -# if defined(__GNUC__) -# define COMPILER_VERSION_MAJOR DEC(__GNUC__) -# else -# define COMPILER_VERSION_MAJOR DEC(__GNUG__) -# endif -# if defined(__GNUC_MINOR__) -# define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__) -# endif -# if defined(__GNUC_PATCHLEVEL__) -# define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__) -# endif - -#elif defined(_MSC_VER) -# define COMPILER_ID "MSVC" - /* _MSC_VER = VVRR */ -# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100) -# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100) -# if defined(_MSC_FULL_VER) -# if _MSC_VER >= 1400 - /* _MSC_FULL_VER = VVRRPPPPP */ -# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000) -# else - /* _MSC_FULL_VER = VVRRPPPP */ -# define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000) -# endif -# endif -# if defined(_MSC_BUILD) -# define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD) -# endif - -#elif defined(_ADI_COMPILER) -# define COMPILER_ID "ADSP" -#if defined(__VERSIONNUM__) - /* __VERSIONNUM__ = 0xVVRRPPTT */ -# define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF) -# define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF) -# define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF) -# define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF) -#endif - -#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) -# define COMPILER_ID "IAR" -# if defined(__VER__) && defined(__ICCARM__) -# define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000) -# define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000) -# define COMPILER_VERSION_PATCH DEC((__VER__) % 1000) -# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) -# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__)) -# define COMPILER_VERSION_MAJOR DEC((__VER__) / 100) -# define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100)) -# define COMPILER_VERSION_PATCH DEC(__SUBVERSION__) -# define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__) -# endif - - -/* These compilers are either not known or too old to define an - identification macro. Try to identify the platform and guess that - it is the native compiler. */ -#elif defined(__hpux) || defined(__hpua) -# define COMPILER_ID "HP" - -#else /* unknown compiler */ -# define COMPILER_ID "" -#endif - -/* Construct the string literal in pieces to prevent the source from - getting matched. Store it in a pointer rather than an array - because some compilers will just produce instructions to fill the - array rather than assigning a pointer to a static array. */ -char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]"; -#ifdef SIMULATE_ID -char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]"; -#endif - -#ifdef __QNXNTO__ -char const* qnxnto = "INFO" ":" "qnxnto[]"; -#endif - -#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) -char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]"; -#endif - -#define STRINGIFY_HELPER(X) #X -#define STRINGIFY(X) STRINGIFY_HELPER(X) - -/* Identify known platforms by name. */ -#if defined(__linux) || defined(__linux__) || defined(linux) -# define PLATFORM_ID "Linux" - -#elif defined(__MSYS__) -# define PLATFORM_ID "MSYS" - -#elif defined(__CYGWIN__) -# define PLATFORM_ID "Cygwin" - -#elif defined(__MINGW32__) -# define PLATFORM_ID "MinGW" - -#elif defined(__APPLE__) -# define PLATFORM_ID "Darwin" - -#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) -# define PLATFORM_ID "Windows" - -#elif defined(__FreeBSD__) || defined(__FreeBSD) -# define PLATFORM_ID "FreeBSD" - -#elif defined(__NetBSD__) || defined(__NetBSD) -# define PLATFORM_ID "NetBSD" - -#elif defined(__OpenBSD__) || defined(__OPENBSD) -# define PLATFORM_ID "OpenBSD" - -#elif defined(__sun) || defined(sun) -# define PLATFORM_ID "SunOS" - -#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__) -# define PLATFORM_ID "AIX" - -#elif defined(__hpux) || defined(__hpux__) -# define PLATFORM_ID "HP-UX" - -#elif defined(__HAIKU__) -# define PLATFORM_ID "Haiku" - -#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS) -# define PLATFORM_ID "BeOS" - -#elif defined(__QNX__) || defined(__QNXNTO__) -# define PLATFORM_ID "QNX" - -#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__) -# define PLATFORM_ID "Tru64" - -#elif defined(__riscos) || defined(__riscos__) -# define PLATFORM_ID "RISCos" - -#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__) -# define PLATFORM_ID "SINIX" - -#elif defined(__UNIX_SV__) -# define PLATFORM_ID "UNIX_SV" - -#elif defined(__bsdos__) -# define PLATFORM_ID "BSDOS" - -#elif defined(_MPRAS) || defined(MPRAS) -# define PLATFORM_ID "MP-RAS" - -#elif defined(__osf) || defined(__osf__) -# define PLATFORM_ID "OSF1" - -#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv) -# define PLATFORM_ID "SCO_SV" - -#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX) -# define PLATFORM_ID "ULTRIX" - -#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX) -# define PLATFORM_ID "Xenix" - -#elif defined(__WATCOMC__) -# if defined(__LINUX__) -# define PLATFORM_ID "Linux" - -# elif defined(__DOS__) -# define PLATFORM_ID "DOS" - -# elif defined(__OS2__) -# define PLATFORM_ID "OS2" - -# elif defined(__WINDOWS__) -# define PLATFORM_ID "Windows3x" - -# elif defined(__VXWORKS__) -# define PLATFORM_ID "VxWorks" - -# else /* unknown platform */ -# define PLATFORM_ID -# endif - -#elif defined(__INTEGRITY) -# if defined(INT_178B) -# define PLATFORM_ID "Integrity178" - -# else /* regular Integrity */ -# define PLATFORM_ID "Integrity" -# endif - -# elif defined(_ADI_COMPILER) -# define PLATFORM_ID "ADSP" - -#else /* unknown platform */ -# define PLATFORM_ID - -#endif - -/* For windows compilers MSVC and Intel we can determine - the architecture of the compiler being used. This is because - the compilers do not have flags that can change the architecture, - but rather depend on which compiler is being used -*/ -#if defined(_WIN32) && defined(_MSC_VER) -# if defined(_M_IA64) -# define ARCHITECTURE_ID "IA64" - -# elif defined(_M_ARM64EC) -# define ARCHITECTURE_ID "ARM64EC" - -# elif defined(_M_X64) || defined(_M_AMD64) -# define ARCHITECTURE_ID "x64" - -# elif defined(_M_IX86) -# define ARCHITECTURE_ID "X86" - -# elif defined(_M_ARM64) -# define ARCHITECTURE_ID "ARM64" - -# elif defined(_M_ARM) -# if _M_ARM == 4 -# define ARCHITECTURE_ID "ARMV4I" -# elif _M_ARM == 5 -# define ARCHITECTURE_ID "ARMV5I" -# else -# define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM) -# endif - -# elif defined(_M_MIPS) -# define ARCHITECTURE_ID "MIPS" - -# elif defined(_M_SH) -# define ARCHITECTURE_ID "SHx" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__WATCOMC__) -# if defined(_M_I86) -# define ARCHITECTURE_ID "I86" - -# elif defined(_M_IX86) -# define ARCHITECTURE_ID "X86" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC) -# if defined(__ICCARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__ICCRX__) -# define ARCHITECTURE_ID "RX" - -# elif defined(__ICCRH850__) -# define ARCHITECTURE_ID "RH850" - -# elif defined(__ICCRL78__) -# define ARCHITECTURE_ID "RL78" - -# elif defined(__ICCRISCV__) -# define ARCHITECTURE_ID "RISCV" - -# elif defined(__ICCAVR__) -# define ARCHITECTURE_ID "AVR" - -# elif defined(__ICC430__) -# define ARCHITECTURE_ID "MSP430" - -# elif defined(__ICCV850__) -# define ARCHITECTURE_ID "V850" - -# elif defined(__ICC8051__) -# define ARCHITECTURE_ID "8051" - -# elif defined(__ICCSTM8__) -# define ARCHITECTURE_ID "STM8" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__ghs__) -# if defined(__PPC64__) -# define ARCHITECTURE_ID "PPC64" - -# elif defined(__ppc__) -# define ARCHITECTURE_ID "PPC" - -# elif defined(__ARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__x86_64__) -# define ARCHITECTURE_ID "x64" - -# elif defined(__i386__) -# define ARCHITECTURE_ID "X86" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -#elif defined(__TI_COMPILER_VERSION__) -# if defined(__TI_ARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__MSP430__) -# define ARCHITECTURE_ID "MSP430" - -# elif defined(__TMS320C28XX__) -# define ARCHITECTURE_ID "TMS320C28x" - -# elif defined(__TMS320C6X__) || defined(_TMS320C6X) -# define ARCHITECTURE_ID "TMS320C6x" - -# else /* unknown architecture */ -# define ARCHITECTURE_ID "" -# endif - -# elif defined(__ADSPSHARC__) -# define ARCHITECTURE_ID "SHARC" - -# elif defined(__ADSPBLACKFIN__) -# define ARCHITECTURE_ID "Blackfin" - -#elif defined(__TASKING__) - -# if defined(__CTC__) || defined(__CPTC__) -# define ARCHITECTURE_ID "TriCore" - -# elif defined(__CMCS__) -# define ARCHITECTURE_ID "MCS" - -# elif defined(__CARM__) -# define ARCHITECTURE_ID "ARM" - -# elif defined(__CARC__) -# define ARCHITECTURE_ID "ARC" - -# elif defined(__C51__) -# define ARCHITECTURE_ID "8051" - -# elif defined(__CPCP__) -# define ARCHITECTURE_ID "PCP" - -# else -# define ARCHITECTURE_ID "" -# endif - -#else -# define ARCHITECTURE_ID -#endif - -/* Convert integer to decimal digit literals. */ -#define DEC(n) \ - ('0' + (((n) / 10000000)%10)), \ - ('0' + (((n) / 1000000)%10)), \ - ('0' + (((n) / 100000)%10)), \ - ('0' + (((n) / 10000)%10)), \ - ('0' + (((n) / 1000)%10)), \ - ('0' + (((n) / 100)%10)), \ - ('0' + (((n) / 10)%10)), \ - ('0' + ((n) % 10)) - -/* Convert integer to hex digit literals. */ -#define HEX(n) \ - ('0' + ((n)>>28 & 0xF)), \ - ('0' + ((n)>>24 & 0xF)), \ - ('0' + ((n)>>20 & 0xF)), \ - ('0' + ((n)>>16 & 0xF)), \ - ('0' + ((n)>>12 & 0xF)), \ - ('0' + ((n)>>8 & 0xF)), \ - ('0' + ((n)>>4 & 0xF)), \ - ('0' + ((n) & 0xF)) - -/* Construct a string literal encoding the version number. */ -#ifdef COMPILER_VERSION -char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]"; - -/* Construct a string literal encoding the version number components. */ -#elif defined(COMPILER_VERSION_MAJOR) -char const info_version[] = { - 'I', 'N', 'F', 'O', ':', - 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[', - COMPILER_VERSION_MAJOR, -# ifdef COMPILER_VERSION_MINOR - '.', COMPILER_VERSION_MINOR, -# ifdef COMPILER_VERSION_PATCH - '.', COMPILER_VERSION_PATCH, -# ifdef COMPILER_VERSION_TWEAK - '.', COMPILER_VERSION_TWEAK, -# endif -# endif -# endif - ']','\0'}; -#endif - -/* Construct a string literal encoding the internal version number. */ -#ifdef COMPILER_VERSION_INTERNAL -char const info_version_internal[] = { - 'I', 'N', 'F', 'O', ':', - 'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_', - 'i','n','t','e','r','n','a','l','[', - COMPILER_VERSION_INTERNAL,']','\0'}; -#elif defined(COMPILER_VERSION_INTERNAL_STR) -char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]"; -#endif - -/* Construct a string literal encoding the version number components. */ -#ifdef SIMULATE_VERSION_MAJOR -char const info_simulate_version[] = { - 'I', 'N', 'F', 'O', ':', - 's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[', - SIMULATE_VERSION_MAJOR, -# ifdef SIMULATE_VERSION_MINOR - '.', SIMULATE_VERSION_MINOR, -# ifdef SIMULATE_VERSION_PATCH - '.', SIMULATE_VERSION_PATCH, -# ifdef SIMULATE_VERSION_TWEAK - '.', SIMULATE_VERSION_TWEAK, -# endif -# endif -# endif - ']','\0'}; -#endif - -/* Construct the string literal in pieces to prevent the source from - getting matched. Store it in a pointer rather than an array - because some compilers will just produce instructions to fill the - array rather than assigning a pointer to a static array. */ -char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]"; -char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]"; - - - -#if defined(__INTEL_COMPILER) && defined(_MSVC_LANG) && _MSVC_LANG < 201403L -# if defined(__INTEL_CXX11_MODE__) -# if defined(__cpp_aggregate_nsdmi) -# define CXX_STD 201402L -# else -# define CXX_STD 201103L -# endif -# else -# define CXX_STD 199711L -# endif -#elif defined(_MSC_VER) && defined(_MSVC_LANG) -# define CXX_STD _MSVC_LANG -#else -# define CXX_STD __cplusplus -#endif - -const char* info_language_standard_default = "INFO" ":" "standard_default[" -#if CXX_STD > 202002L - "23" -#elif CXX_STD > 201703L - "20" -#elif CXX_STD >= 201703L - "17" -#elif CXX_STD >= 201402L - "14" -#elif CXX_STD >= 201103L - "11" -#else - "98" -#endif -"]"; - -const char* info_language_extensions_default = "INFO" ":" "extensions_default[" -#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) || \ - defined(__TI_COMPILER_VERSION__)) && \ - !defined(__STRICT_ANSI__) - "ON" -#else - "OFF" -#endif -"]"; - -/*--------------------------------------------------------------------------*/ - -int main(int argc, char* argv[]) -{ - int require = 0; - require += info_compiler[argc]; - require += info_platform[argc]; - require += info_arch[argc]; -#ifdef COMPILER_VERSION_MAJOR - require += info_version[argc]; -#endif -#ifdef COMPILER_VERSION_INTERNAL - require += info_version_internal[argc]; -#endif -#ifdef SIMULATE_ID - require += info_simulate[argc]; -#endif -#ifdef SIMULATE_VERSION_MAJOR - require += info_simulate_version[argc]; -#endif -#if defined(__CRAYXT_COMPUTE_LINUX_TARGET) - require += info_cray[argc]; -#endif - require += info_language_standard_default[argc]; - require += info_language_extensions_default[argc]; - (void)argv; - return require; -} diff --git a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml deleted file mode 100644 index 353c44960b88..000000000000 --- a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml +++ /dev/null @@ -1,451 +0,0 @@ - ---- -events: - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineSystem.cmake:204 (message)" - - "CMakeLists.txt" - message: | - The system is: Linux - 5.18.13-200.fc36.aarch64 - aarch64 - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCCompiler.cmake:123 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the C compiler identification source file "CMakeCCompilerId.c" succeeded. - Compiler: /usr/bin/cc - Build flags: - Id flags: - - The output was: - 0 - - - Compilation of the C compiler identification source "CMakeCCompilerId.c" produced "a.out" - - The C compiler identification is GNU, found in: - /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: -c - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --c++ - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --ec++ - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: -c;-I__does_not_exist__ - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: -c - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --c++ - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --ec++ - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 - - The output was: - No such file or directory - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)" - - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)" - - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)" - - "CMakeLists.txt" - message: | - Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed. - Compiler: CMAKE_CXX_COMPILER-NOTFOUND - Build flags: - Id flags: -c;-I__does_not_exist__ - - The output was: - No such file or directory - - - - - kind: "try_compile-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:57 (try_compile)" - - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" - - "CMakeLists.txt" - checks: - - "Detecting C compiler ABI info" - directories: - source: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C" - binary: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C" - cmakeVariables: - CMAKE_C_FLAGS: "" - buildResult: - variable: "CMAKE_C_ABI_COMPILED" - cached: true - stdout: | - Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C - - Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build - gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C' - Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o - /usr/bin/cc -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c - Using built-in specs. - COLLECT_GCC=/usr/bin/cc - Target: aarch64-redhat-linux - Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1 - Thread model: posix - Supported LTO compression algorithms: zlib zstd - gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) - COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/' - /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s - GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux) - compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP - - GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 - ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed" - ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include" - #include "..." search starts here: - #include <...> search starts here: - /usr/lib/gcc/aarch64-redhat-linux/12/include - /usr/local/include - /usr/include - End of search list. - GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux) - compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP - - GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 - Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454 - COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/' - as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s - GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36 - COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/ - LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/ - COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.' - Linking C executable cmTC_cf024 - /usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1 - /usr/bin/cc -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 - Using built-in specs. - COLLECT_GCC=/usr/bin/cc - COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper - Target: aarch64-redhat-linux - Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1 - Thread model: posix - Supported LTO compression algorithms: zlib zstd - gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) - COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/ - LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/ - COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.' - /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o - COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.' - gmake[1]: Leaving directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C' - - exitCode: 0 - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:127 (message)" - - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" - - "CMakeLists.txt" - message: | - Parsed C implicit include dir info: rv=done - found start of include info - found start of implicit include info - add: [/usr/lib/gcc/aarch64-redhat-linux/12/include] - add: [/usr/local/include] - add: [/usr/include] - end of search list found - collapse include dir [/usr/lib/gcc/aarch64-redhat-linux/12/include] ==> [/usr/lib/gcc/aarch64-redhat-linux/12/include] - collapse include dir [/usr/local/include] ==> [/usr/local/include] - collapse include dir [/usr/include] ==> [/usr/include] - implicit include dirs: [/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include] - - - - - kind: "message-v1" - backtrace: - - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:152 (message)" - - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)" - - "CMakeLists.txt" - message: | - Parsed C implicit link information: - link line regex: [^( *|.*[/\\])(ld|CMAKE_LINK_STARTFILE-NOTFOUND|([^/\\]+-)?ld|collect2)[^/\\]*( |$)] - ignore line: [Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C] - ignore line: [] - ignore line: [Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build] - ignore line: [gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'] - ignore line: [Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] - ignore line: [/usr/bin/cc -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c] - ignore line: [Using built-in specs.] - ignore line: [COLLECT_GCC=/usr/bin/cc] - ignore line: [Target: aarch64-redhat-linux] - ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1] - ignore line: [Thread model: posix] - ignore line: [Supported LTO compression algorithms: zlib zstd] - ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ] - ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'] - ignore line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s] - ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)] - ignore line: [ compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1) GMP version 6.2.1 MPFR version 4.1.0-p13 MPC version 1.2.1 isl version isl-0.18-GMP] - ignore line: [] - ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072] - ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"] - ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"] - ignore line: [#include "..." search starts here:] - ignore line: [#include <...> search starts here:] - ignore line: [ /usr/lib/gcc/aarch64-redhat-linux/12/include] - ignore line: [ /usr/local/include] - ignore line: [ /usr/include] - ignore line: [End of search list.] - ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)] - ignore line: [ compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1) GMP version 6.2.1 MPFR version 4.1.0-p13 MPC version 1.2.1 isl version isl-0.18-GMP] - ignore line: [] - ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072] - ignore line: [Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454] - ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'] - ignore line: [ as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s] - ignore line: [GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36] - ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/] - ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/] - ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.'] - ignore line: [Linking C executable cmTC_cf024] - ignore line: [/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1] - ignore line: [/usr/bin/cc -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 ] - ignore line: [Using built-in specs.] - ignore line: [COLLECT_GCC=/usr/bin/cc] - ignore line: [COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] - ignore line: [Target: aarch64-redhat-linux] - ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1] - ignore line: [Thread model: posix] - ignore line: [Supported LTO compression algorithms: zlib zstd] - ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ] - ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/] - ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/] - ignore line: [COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'] - link line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] - arg [/usr/libexec/gcc/aarch64-redhat-linux/12/collect2] ==> ignore - arg [-plugin] ==> ignore - arg [/usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so] ==> ignore - arg [-plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] ==> ignore - arg [-plugin-opt=-fresolution=/tmp/cchKwJNt.res] ==> ignore - arg [-plugin-opt=-pass-through=-lgcc] ==> ignore - arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore - arg [-plugin-opt=-pass-through=-lc] ==> ignore - arg [-plugin-opt=-pass-through=-lgcc] ==> ignore - arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore - arg [--build-id] ==> ignore - arg [--no-add-needed] ==> ignore - arg [--eh-frame-hdr] ==> ignore - arg [--hash-style=gnu] ==> ignore - arg [-export-dynamic] ==> ignore - arg [-dynamic-linker] ==> ignore - arg [/lib/ld-linux-aarch64.so.1] ==> ignore - arg [-X] ==> ignore - arg [-EL] ==> ignore - arg [-maarch64linux] ==> ignore - arg [-o] ==> ignore - arg [cmTC_cf024] ==> ignore - arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] - arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] - arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] - arg [-L/usr/lib/gcc/aarch64-redhat-linux/12] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12] - arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] - arg [-L/lib/../lib64] ==> dir [/lib/../lib64] - arg [-L/usr/lib/../lib64] ==> dir [/usr/lib/../lib64] - arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] - arg [CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] ==> ignore - arg [-lgcc] ==> lib [gcc] - arg [--push-state] ==> ignore - arg [--as-needed] ==> ignore - arg [-lgcc_s] ==> lib [gcc_s] - arg [--pop-state] ==> ignore - arg [-lc] ==> lib [c] - arg [-lgcc] ==> lib [gcc] - arg [--push-state] ==> ignore - arg [--as-needed] ==> ignore - arg [-lgcc_s] ==> lib [gcc_s] - arg [--pop-state] ==> ignore - arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] - arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] - collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> [/usr/lib64/crt1.o] - collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> [/usr/lib64/crti.o] - collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> [/usr/lib64/crtn.o] - collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12] ==> [/usr/lib/gcc/aarch64-redhat-linux/12] - collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> [/usr/lib64] - collapse library dir [/lib/../lib64] ==> [/lib64] - collapse library dir [/usr/lib/../lib64] ==> [/usr/lib64] - collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> [/usr/lib] - implicit libs: [gcc;gcc_s;c;gcc;gcc_s] - implicit objs: [/usr/lib64/crt1.o;/usr/lib64/crti.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o;/usr/lib64/crtn.o] - implicit dirs: [/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib] - implicit fwks: [] - - -... diff --git a/products/bascontrol22d4/CMakeFiles/cmake.check_cache b/products/bascontrol22d4/CMakeFiles/cmake.check_cache deleted file mode 100644 index 3dccd731726d..000000000000 --- a/products/bascontrol22d4/CMakeFiles/cmake.check_cache +++ /dev/null @@ -1 +0,0 @@ -# This file is generated by cmake for dependency checking of the CMakeCache.txt file From 59489d51e790d7fe00ee684640b61f1bfb08ac38 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 13:18:45 -0600 Subject: [PATCH 005/265] Remove Qlty from gate --- .github/workflows/gate_fedora.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 22c686c8f9d4..d70d0507ab5b 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -73,12 +73,5 @@ jobs: working-directory: ./build - name: "Set git safe directory, ref: https://github.com/actions/checkout/issues/760" run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Upload coverage to Qlty # Requires: git package - if: ${{ github.repository == 'ComplianceAsCode/content' }} - uses: qltysh/qlty-action/coverage@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0 - with: - token: qltcp_kdIPsqNZzW5rYoxq - files: build/tests/coverage.xml - strip-prefix: /__w/content/content - name: Validate gitmailmap run: grep -E "\S" .mailmap | grep -Ev '^#' | git check-mailmap --stdin From 0d6085a9599144aee907eb7afed9c8f914ee64d4 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:02:25 +0200 Subject: [PATCH 006/265] User ansible_enable_dconf_user_profile macro to set user gdm profile and use dconf_gdm_dirvariable for location --- .../ansible/shared.yml | 7 +--- .../ansible/shared.yml | 4 +++ .../policy/stig/shared.yml | 5 ++- .../ansible/shared.yml | 12 ++----- .../bash/shared.sh | 4 +-- .../oval/shared.xml | 4 +-- .../dconf_gnome_disable_automount/rule.yml | 7 ++-- .../tests/correct_value.pass.sh | 5 ++- .../tests/missing_profiles.fail.sh | 4 +-- .../tests/wrong_value.fail.sh | 4 +-- .../ansible/shared.yml | 12 ++----- .../bash/shared.sh | 4 +-- .../oval/shared.xml | 4 +-- .../rule.yml | 6 ++-- .../tests/correct_value.pass.sh | 6 ++-- .../tests/missing_profiles.fail.sh | 4 +-- .../ansible/shared.yml | 10 ++++-- .../bash/shared.sh | 8 +++-- .../oval/shared.xml | 4 +-- .../policy/stig/shared.yml | 2 +- .../dconf_gnome_disable_autorun/rule.yml | 6 ++-- .../tests/correct_value.pass.sh | 4 +-- .../tests/missing_profiles.fail.sh | 6 ++-- .../ansible/shared.yml | 8 +++-- .../bash/shared.sh | 7 ++-- .../oval/shared.xml | 4 +-- .../rule.yml | 7 ++-- .../ansible/shared.yml | 8 +++-- .../bash/shared.sh | 7 ++-- .../oval/shared.xml | 4 +-- .../rule.yml | 7 ++-- .../ansible/shared.yml | 8 +++-- .../bash/shared.sh | 8 +++-- .../oval/shared.xml | 4 +-- .../rule.yml | 7 ++-- .../tests/comment.fail.sh | 4 +-- .../tests/correct_value.pass.sh | 5 +-- .../tests/missing_lock.fail.sh | 2 +- .../tests/wrong_value.fail.sh | 4 +-- .../bash/shared.sh | 9 +++-- .../oval/shared.xml | 12 +++---- .../policy/stig/shared.yml | 4 +-- .../rule.yml | 9 +++-- .../tests/comment.fail.sh | 4 +-- .../tests/correct_value.pass.sh | 6 ++-- .../tests/correct_value_not_locked.fail.sh | 2 +- .../tests/correct_value_wrong_db.fail.sh | 2 +- .../tests/missing_profiles.fail.sh | 4 +-- .../tests/setting_not_there.fail.sh | 2 +- .../tests/wrong_value.fail.sh | 4 +-- .../tests/zero_value.fail.sh | 4 +-- .../bash/shared.sh | 5 +-- .../oval/shared.xml | 10 +++--- .../policy/stig/shared.yml | 4 +-- .../rule.yml | 3 +- .../tests/comment.fail.sh | 4 +-- .../tests/correct_value.pass.sh | 6 ++-- .../tests/correct_value_not_locked.fail.sh | 2 +- .../tests/correct_value_wrong_db.fail.sh | 2 +- .../tests/missing_profiles.fail.sh | 4 +-- .../tests/setting_not_there.fail.sh | 2 +- .../tests/wrong_value.fail.sh | 4 +-- .../ansible/shared.yml | 12 ++++--- .../bash/shared.sh | 9 ++--- .../oval/shared.xml | 8 ++--- .../policy/stig/shared.yml | 4 +-- .../rule.yml | 7 ++-- .../tests/comment.fail.sh | 8 ++--- .../tests/correct_value.pass.sh | 8 ++--- .../tests/correct_value_unlocked.fail.sh | 4 +-- .../tests/missing_profiles.fail.sh | 4 +-- .../tests/wrong_value.fail.sh | 8 ++--- .../ansible/shared.yml | 8 +++-- .../bash/shared.sh | 8 +++-- .../oval/shared.xml | 4 +-- .../policy/stig/shared.yml | 4 +-- .../rule.yml | 8 ++--- .../tests/comment.fail.sh | 4 +-- .../tests/correct_value.pass.sh | 5 +-- .../tests/correct_value_not_locked.fail.sh | 2 +- .../tests/wrong_value.fail.sh | 4 +-- .../ansible/shared.yml | 8 +++-- .../bash/shared.sh | 5 ++- .../oval/shared.xml | 2 +- .../policy/stig/shared.yml | 6 ++-- .../rule.yml | 5 ++- .../tests/correct_value.pass.sh | 3 +- .../ansible/shared.yml | 6 +++- .../bash/shared.sh | 6 ++-- .../oval/shared.xml | 2 +- .../policy/stig/shared.yml | 6 ++-- .../rule.yml | 5 ++- .../tests/comented_value.fail.sh | 2 +- .../tests/correct_value.pass.sh | 3 +- shared/macros/10-ansible.jinja | 34 +++++++++++++++++++ 95 files changed, 303 insertions(+), 243 deletions(-) diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml index c6d042fb3ba3..df0e3739cdc3 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml @@ -4,9 +4,4 @@ # complexity = low # disruption = medium -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml index d7ef96c9dce7..1d1453d42a41 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml @@ -21,6 +21,10 @@ create: yes register: result_lineinfile +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} + - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml index 9d2f897592bb..a30d3e50ba2e 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml @@ -19,9 +19,9 @@ fixtext: |- Configure {{{ full_name }}} to disable the user list at logon for graphical user interfaces. Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/02-login-screen + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/02-login-screen [org/gnome/login-screen] disable-user-list=true @@ -29,4 +29,3 @@ fixtext: |- Update the system databases: $ sudo dconf update - diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml index 3a44e002d5c9..141f7588da4f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = medium - name: "Disable GNOME3 Automounting - automount" community.general.ini_file: - dest: /etc/dconf/db/local.d/00-security-settings + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/desktop/media-handling option: automount value: "false" @@ -15,20 +15,14 @@ - name: "Prevent user modification of GNOME3 Automounting - automount" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings regexp: '^/org/gnome/desktop/media-handling/automount$' line: '/org/gnome/desktop/media-handling/automount' create: yes register: result_lineinfile -# apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} - name: Dconf Update diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh index cb549a403266..974073b037d9 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh @@ -10,5 +10,5 @@ {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} -{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml index 35d7819f6072..2320ee3d3e96 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml @@ -20,7 +20,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ 1 @@ -33,7 +33,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml index d4c138569ff3..18d34513ebe2 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set - automount to false in /etc/dconf/db/local.d/00-security-settings. + automount to false in /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
     automount=false
Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update. @@ -51,6 +51,5 @@ ocil: |- 
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false. To ensure that users cannot enable automount in GNOME3, run the following: - 
$ grep 'automount' /etc/dconf/db/local.d/locks/*
+ 
$ grep 'automount' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount - diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh index 7d4b240f1bef..afb93f910b9f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh @@ -8,6 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles -add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings" - +add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh index 4f7194e4915b..c6fb72e4b90b 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh @@ -8,5 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings -add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings" +add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh index af2b99f699e1..62f9fa4e0576 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh @@ -7,5 +7,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles -add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml index b807cc913da5..0960dea77109 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = medium - name: "Disable GNOME3 Automounting - automount-open" community.general.ini_file: - dest: /etc/dconf/db/local.d/00-security-settings + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: "false" @@ -15,20 +15,14 @@ - name: "Prevent user modification of GNOME3 Automounting - automount-open" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount-open$' line: '/org/gnome/desktop/media-handling/automount-open' create: yes register: result_lineinfile -# apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} - name: Dconf Update diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh index fb7ce9c74e2a..269047aeb1c6 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh @@ -10,5 +10,5 @@ {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} -{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", dconf_gdm_dir , "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml index d4000f292d26..76d24f3fc58a 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml @@ -20,7 +20,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ 1 @@ -33,7 +33,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount-open$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml index 1e0636944e3a..6757aeabd6d5 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set - automount-open to false in /etc/dconf/db/local.d/00-security-settings. + automount-open to false in /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
     automount-open=false
Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update. @@ -52,7 +52,7 @@ ocil: |- 
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false. To ensure that users cannot enable automount opening in GNOME3, run the following: - 
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
+ 
$ grep 'automount-open' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh index 4539136d777d..b6fc5dc7514b 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh @@ -8,7 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles -add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" - - +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh index 21c8d7c2f7a0..e15a7255183d 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh @@ -8,5 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings -add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml index cb6e011ff7ea..817548d86c02 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml @@ -1,11 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable GNOME3 Automounting - autorun-never" community.general.ini_file: - dest: /etc/dconf/db/local.d/00-security-settings + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: "true" @@ -15,7 +15,7 @@ - name: "Prevent user modification of GNOME3 Automounting - autorun-never" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/autorun-never$' line: '/org/gnome/desktop/media-handling/autorun-never' create: yes @@ -24,3 +24,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh index a0f809515812..b31b512e6320 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh @@ -5,5 +5,9 @@ {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} -{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} + +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml index 976ac69ae151..90d425d00b4f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml @@ -20,7 +20,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ 1 @@ -33,7 +33,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/desktop/media-handling/autorun-never$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/policy/stig/shared.yml index b22a5e130f65..3e2088af3a88 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/policy/stig/shared.yml @@ -20,7 +20,7 @@ checktext: |- fixtext: |- Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media. - Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification: + Add the following line to "/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock" to prevent user modification: /org/gnome/desktop/media-handling/autorun-never diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml index 6bd3a7d1c5cf..55fc533a287c 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set - autorun-never to true in /etc/dconf/db/local.d/00-security-settings. + autorun-never to true in /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
     autorun-never=true
Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update. @@ -51,7 +51,7 @@ ocil: |- 
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true. To ensure that users cannot enable autorun in GNOME3, run the following: - 
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
+ 
$ grep 'autorun-never' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh index 4dc8e1444d97..3ade414fabc3 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh @@ -8,5 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles -add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings" +add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh index 85dd9a330681..c0d5a5691d3a 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_ubuntu # packages = gdm,dconf # profiles = xccdf_org.ssgproject.content_profile_stig @@ -8,5 +8,5 @@ install_dconf_and_gdm_if_needed clean_dconf_settings -add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings" +add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml index d11221f62506..cc3c20e4d355 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = medium - name: "Require Credential Prompting for Remote Access in GNOME3" community.general.ini_file: - dest: /etc/dconf/db/local.d/00-security-settings + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/Vino option: authentication-methods value: "['vnc']" @@ -15,7 +15,7 @@ - name: "Prevent user modification of GNOME3 Credential Prompting for Remote Access" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/authentication-methods$' line: '/org/gnome/Vino/authentication-methods' create: yes @@ -24,3 +24,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh index 872cc4bad130..82c6aebcd34b 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh @@ -1,5 +1,8 @@ # platform = multi_platform_all +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} -{{{ bash_dconf_settings("org/gnome/Vino", "authentication-methods", "['vnc']", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/Vino", "authentication-methods", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/Vino", "authentication-methods", "['vnc']", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/Vino", "authentication-methods", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml index c92bd856aaa2..133709ed99bf 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml @@ -18,7 +18,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/Vino\]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ 1 @@ -31,7 +31,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/Vino/authentication-methods$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml index 9cd95350def2..8da990470a3b 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml @@ -7,12 +7,12 @@ description: |- By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in - /etc/dconf/db/local.d/00-security-settings. For example: + /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/Vino]
     authentication-methods=['vnc']
Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. @@ -41,7 +41,6 @@ ocil: |- 
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false. To ensure that users cannot disable credentials for remote access, run the following: - 
$ grep authentication-methods /etc/dconf/db/local.d/locks/*
+ 
$ grep authentication-methods /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output should be /org/gnome/Vino/authentication-methods - diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml index f57ab3f7d511..3cb5185e5bc8 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = medium - name: "Require Encryption for Remote Access in GNOME3" community.general.ini_file: - dest: /etc/dconf/db/local.d/00-security-settings + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/Vino option: require-encryption value: "true" @@ -15,7 +15,7 @@ - name: "Prevent user modification of GNOME3 Encryption for Remote Access" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/require-encryption$' line: '/org/gnome/Vino/require-encryption' create: yes @@ -24,3 +24,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh index 51d61baf3068..033dfae608f1 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh @@ -1,5 +1,8 @@ # platform = multi_platform_all +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} -{{{ bash_dconf_settings("org/gnome/Vino", "require-encryption", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/Vino", "require-encryption", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/Vino", "require-encryption", "true", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/Vino", "require-encryption", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml index 39ba68f4f149..1e8684b418ad 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml @@ -18,7 +18,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/Vino\]([^\n]*\n+)+?require-encryption=true$ 1 @@ -31,7 +31,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/Vino/require-encryption$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml index 12a8f4499433..1e3bb3e00e86 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml @@ -7,12 +7,12 @@ description: |- By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in - /etc/dconf/db/local.d/00-security-settings. For example: + /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/Vino]
     require-encryption=true
Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update. @@ -49,7 +49,6 @@ ocil: |- 
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true. To ensure that users cannot disable encrypted remote connections, run the following: - 
$ grep require-encryption /etc/dconf/db/local.d/locks/*
+ 
$ grep require-encryption /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output should be /org/gnome/Vino/require-encryption - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml index dbccc97c5176..e7c495446a30 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = medium - name: "Enable GNOME3 Screensaver Idle Activation" community.general.ini_file: - dest: "/etc/dconf/db/local.d/00-security-settings" + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" section: "org/gnome/desktop/screensaver" option: "idle-activation-enabled" value: "true" @@ -15,7 +15,7 @@ - name: "Prevent user modification of GNOME idle-activation-enabled" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled$' line: '/org/gnome/desktop/screensaver/idle-activation-enabled' create: yes @@ -24,3 +24,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh index 571567335263..0c196aaef18c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh @@ -1,5 +1,7 @@ # platform = multi_platform_all - -{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "idle-activation-enabled", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "idle-activation-enabled", "local.d", "00-security-settings-lock") }}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} +{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "idle-activation-enabled", "true", dconf_gdm_dir , "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "idle-activation-enabled", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml index 849b09080d2a..0c8ba9e933f9 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml @@ -18,7 +18,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?idle-activation-enabled=true$ 1 @@ -31,7 +31,7 @@ - /etc/dconf/db/local.d/locks/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml index c2d48df41ac4..dfc2874675d3 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml @@ -6,11 +6,11 @@ title: 'Enable GNOME3 Screensaver Idle Activation' description: |- To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in - /etc/dconf/db/local.d/00-security-settings. For example: + /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
     idle-activation-enabled=true
Once the setting has been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update. @@ -59,6 +59,5 @@ ocil: |- 
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: - 
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
+ 
$ grep idle-activation-enabled /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh index e8ff2ac2955c..f2af50b09ab6 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh @@ -5,6 +5,6 @@ clean_dconf_settings add_dconf_setting "org/gnome/desktop/screensaver" "#idle-activation-enabled" "true" \ - "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ "00-security-settings-lock" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh index 3d7cfa54c6d2..f9cb5e4be598 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh @@ -4,7 +4,8 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +add_dconf_profiles add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ - "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ "00-security-settings-lock" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh index 5cfef8b62db8..b051b7422c7a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh @@ -5,4 +5,4 @@ clean_dconf_settings add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ - "local.d" "00-security-settings" + "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh index 76b9088c85f5..794832db3d3b 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh @@ -5,6 +5,6 @@ clean_dconf_settings add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "false" \ - "local.d" "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ "00-security-settings-lock" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh index de0854c03f83..238b4980697b 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh @@ -3,9 +3,14 @@ {{% if 'ubuntu' in product %}} {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} -{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% endif %}} + +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", dconf_gdm_dir, "00-security-settings-lock") }}} {{% endif %}} {{{ bash_instantiate_variables("inactivity_timeout_value") }}} -{{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml index a4173903a2c2..eaf405962fa9 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml @@ -7,7 +7,7 @@ - {{% if 'ubuntu' in product %}} + {{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} {{% endif %}} @@ -21,7 +21,7 @@ - /etc/dconf/db/local.d/ + /etc/dconf/db/{{{ dconf_gdm_dir }}}/ ^.*$ ^/dev/.*$ - ^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$).+ + ^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$|vfat$).+ nodev @@ -46,7 +46,7 @@ /etc/fstab - ^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/\w\S*\s+\S+\s+(\S+) + ^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/(?!boot|efi)\w\S*\s+(?!vfat\s)\S+\s+(\S+) 1 /dev. Network file systems such as NFS, CIFS, + GlusterFS and others are excluded because they do not expose local + device nodes. The /boot and /efi partitions are + excluded because they are special partitions usually handled by a + systemd mount unit, and enforcing nodev on them during + operating system installation causes issues. Partitions with the + vfat file system type are excluded because vfat does not + support Unix device special files, so nodev enforcement on + them is not meaningful. diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh new file mode 100644 index 000000000000..837e79fbeee5 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +. $SHARED/partition.sh + +# Add nodev option to all records in fstab to ensure that test will +# run on environment where everything is set correctly for rule check. +cp /etc/fstab /etc/fstab.backup +sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup +awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab +# Remount all partitions. (--all option can't be used because it doesn't +# mount e.g. /boot partition +declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) +for partition in ${partitions[@]}; do + mount -o remount "$partition" +done + +# A vfat partition without nodev should be ignored by the rule. +PARTITION="/dev/new_partition1"; create_partition +make_fstab_given_partition_line "/tmp/partition1" vfat defaults From aa1a58a31ef63485d81fbbf0e60a548581947a4d Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 10 Feb 2026 17:22:29 +0100 Subject: [PATCH 017/265] add audit watcher rule for /var/lib/selinux --- .../rule.yml | 34 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 3 -- 2 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml new file mode 100644 index 000000000000..0b2cb0cc7328 --- /dev/null +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux' + +description: |- + {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}} + +rationale: |- + The system's mandatory access policy (SELinux) should not be + arbitrarily changed by anything other than administrator action. All changes to + MAC policy should be audited. + +severity: medium + +identifiers: + cce@rhel8: CCE-86459-5 + cce@rhel9: CCE-86461-1 + cce@rhel10: CCE-86465-2 + +ocil_clause: 'the system is not configured to audit attempts to change the MAC policy' + +ocil: |- + To determine if the system is configured to audit changes to its SELinux + configuration files, run the following command: + 
$ sudo auditctl -l | grep "dir=/var/lib/selinux"
+ If the system is configured to watch for changes to its SELinux + configuration, a line should be returned (including + perm=wa indicating permissions that are watched). + +template: + name: audit_rules_watch + vars: + path: "/var/lib/selinux/" + key: MAC-policy diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f1dff1792b67..06999bee9a08 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,6 +1,3 @@ -CCE-86459-5 -CCE-86461-1 -CCE-86465-2 CCE-86466-0 CCE-86468-6 CCE-86469-4 From d51d00e5f11ad31cf4c02bfe87f81ebd4ff96d0c Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 10 Feb 2026 17:22:52 +0100 Subject: [PATCH 018/265] add audit watcher rule to fedora cis controls --- controls/cis_fedora.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 031e276bc3d5..3f76e1c78eb6 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -2957,6 +2957,7 @@ controls: rules: - audit_rules_mac_modification_etc_selinux - audit_rules_mac_modification_usr_share + - audit_rules_mac_modification_var_lib_selinux - id: 6.3.3.24 title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) From e4c164cacc329aab86355a83b37a07d315b34c83 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 10 Feb 2026 17:49:29 +0100 Subject: [PATCH 019/265] enable oval checks for audit tools on fedora and fix failing tests --- shared/checks/oval/audit_rules_auditctl.xml | 2 +- shared/checks/oval/audit_rules_augenrules.xml | 2 +- shared/macros/20-test-scenarios.jinja | 17 +++++++++++++++++ .../tests/augenrules_correct.pass.sh | 2 ++ .../augenrules_correct_extra_permission.pass.sh | 2 ++ .../augenrules_correct_without_key.pass.sh | 2 ++ .../tests/augenrules_remove_all_rules.fail.sh | 2 ++ .../tests/augenrules_wrong_rule.fail.sh | 2 ++ .../augenrules_wrong_rule_without_key.fail.sh | 2 ++ .../tests/rules_not_there.fail.sh | 1 + .../auditctl_wrong_rule.fail.sh | 2 ++ .../auditctl_wrong_rule_without_key.fail.sh | 2 ++ .../augenrules_wrong_rule.fail.sh | 3 +++ .../augenrules_wrong_rule_without_key.fail.sh | 2 ++ 14 files changed, 41 insertions(+), 2 deletions(-) diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml index b08adf438882..27a4e5489599 100644 --- a/shared/checks/oval/audit_rules_auditctl.xml +++ b/shared/checks/oval/audit_rules_auditctl.xml @@ -18,7 +18,7 @@ -{{% if product in ['rhel10', 'ol10'] %}} +{{% if product in ['fedora', 'rhel10', 'ol10'] %}} /usr/lib/systemd/system/audit-rules.service ^ExecStart=\/sbin\/auditctl.*$ {{% else %}} diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml index 7d651e43a0fb..7533f88e2866 100644 --- a/shared/checks/oval/audit_rules_augenrules.xml +++ b/shared/checks/oval/audit_rules_augenrules.xml @@ -18,7 +18,7 @@ - {{% if product in ['rhel10', 'ol10'] %}} + {{% if product in ['fedora', 'rhel10', 'ol10'] %}} /usr/lib/systemd/system/audit-rules.service ^ExecStart=(\/usr|)?\/sbin\/augenrules.*$ {{% else %}} diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja index 53bfe16e7338..87015c86b9f8 100644 --- a/shared/macros/20-test-scenarios.jinja +++ b/shared/macros/20-test-scenarios.jinja @@ -15,6 +15,23 @@ This macro changes the configuration of the audit service so that it looks like {{%- endmacro -%}} +{{# +This macro changes the configuration of the audit service so that it looks like augenrules is used to load rules. +#}} + +{{%- macro setup_augenrules_environment () -%}} + {{% if product in ["fedora", "ol10", "rhel10"] %}} + sed -i "s%^ExecStart=.*%ExecStart=/sbin/augenrules%" /usr/lib/systemd/system/audit-rules.service + {{% else %}} + {{% if product == "sle15" %}} + sed -i "s%^#ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service + {{% else %}} + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service + {{% endif %}} + {{% endif %}} +{{%- endmacro -%}} + + {{# This macro is used by pam_account_password_faillock template to initialize the external variable and parameter value to a desired state. diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh index 5b03c4d941f3..ff32b83145e7 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh index 1dbc7bfc3085..845653165303 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh index bdd78b2296df..6726a76bd795 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh index 3fa1b4180dd2..3b1d1a24bd70 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh index 6530b87af549..a0cc8870ed87 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh index fce102beca00..5dad7131b0be 100644 --- a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh +++ b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} + path={{{ PATH }}} style={{{ audit_watches_style }}} filter_type={{{ FILTER_TYPE }}} diff --git a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh index 46629244c959..40930c2cdd10 100644 --- a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh +++ b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh @@ -1,6 +1,7 @@ #!/bin/bash # packages = audit +{{{ setup_augenrules_environment() }}} rm -f /etc/audit/rules.d/* > /etc/audit/audit.rules diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh index e17d5be18d41..fd2392404e5d 100644 --- a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh +++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh @@ -2,8 +2,10 @@ # packages = audit if [[ "$style" == "modern" ]] ; then + sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules else + sed -i "\#-w $path#d" /etc/audit/audit.rules echo "-w $path -p w -k logins" >> /etc/audit/audit.rules fi diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh index 4cf6a4c52725..ed0cb28f15fa 100644 --- a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh +++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh @@ -2,8 +2,10 @@ # packages = audit if [[ "$style" == "modern" ]] ; then + sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules else + sed -i "\#-w $path#d" /etc/audit/audit.rules echo "-w $path -p w" >> /etc/audit/audit.rules fi diff --git a/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh b/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh index ab664a4d6987..ceebf8688b9d 100644 --- a/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh +++ b/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh @@ -3,8 +3,11 @@ if [[ "$style" == "modern" ]] ; then + escaped_path=$(echo "$path" | sed 's/\//\\\//g') + sed -i "/$filter_type=$escaped_path/d" /etc/audit/rules.d/*.rules 2>/dev/null || true echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules else + sed -i "\#-w $path#d" /etc/audit/rules.d/*.rules 2>/dev/null || true echo "-w $path -p w -k login" >> /etc/audit/rules.d/login.rules fi diff --git a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh index 80bd5f72cfc6..841ad9ea2974 100644 --- a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh +++ b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh @@ -3,8 +3,10 @@ if [[ "$style" == "modern" ]] ; then + sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/rules.d/*.rules 2>/dev/null || true echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules else + sed -i "\#-w $path#d" /etc/audit/rules.d/*.rules 2>/dev/null || true echo "-w $path -p w" >> /etc/audit/rules.d/login.rules fi From 3a56901e1abdd21ed3ca1b6c70db4f5a9a2f3341 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 10 Feb 2026 17:49:57 +0100 Subject: [PATCH 020/265] add audit watcher rule to audit components --- components/audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/components/audit.yml b/components/audit.yml index bd1807988a47..018ead72842e 100644 --- a/components/audit.yml +++ b/components/audit.yml @@ -131,6 +131,7 @@ rules: - audit_rules_mac_modification_etc_apparmor_d - audit_rules_mac_modification_etc_selinux - audit_rules_mac_modification_usr_share +- audit_rules_mac_modification_var_lib_selinux - audit_rules_media_export - audit_rules_networkconfig_modification - audit_rules_networkconfig_modification_etc_hosts From b67720a22c0cdb21c559166d6ab319d2627596a9 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Feb 2026 17:56:04 +0100 Subject: [PATCH 021/265] use better rule for RHEL-09-232240 --- .../files/dir_perms_world_writable_system_owned/rule.yml | 3 +++ products/rhel9/controls/stig_rhel9.yml | 2 +- shared/references/cce-redhat-avail.txt | 1 - tests/data/profile_stability/rhel9/stig.profile | 2 +- tests/data/profile_stability/rhel9/stig_gui.profile | 2 +- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml index 3a3bc5278b49..b5fe9798720c 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml @@ -28,6 +28,9 @@ references: stigid@ol7: OL07-00-021031 stigid@ol8: OL08-00-010700 +identifiers: + cce@rhel9: CCE-86469-4 + ocil_clause: 'there is output' ocil: |- diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 7007e84787f1..d048f47b498f 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -1303,7 +1303,7 @@ controls: title: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user. rules: - - dir_perms_world_writable_root_owned + - dir_perms_world_writable_system_owned status: automated - id: RHEL-09-232245 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f1dff1792b67..a9080fc38054 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3,7 +3,6 @@ CCE-86461-1 CCE-86465-2 CCE-86466-0 CCE-86468-6 -CCE-86469-4 CCE-86482-7 CCE-86483-5 CCE-86484-3 diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index eb98e27fcea8..0153ecc82952 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -173,8 +173,8 @@ dconf_gnome_session_idle_user_locks dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs -dir_perms_world_writable_root_owned dir_perms_world_writable_sticky_bits +dir_perms_world_writable_system_owned directory_group_ownership_var_log_audit directory_groupowner_sshd_config_d directory_owner_sshd_config_d diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index eeeb1424e414..d76fcf98bcca 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -173,8 +173,8 @@ dconf_gnome_session_idle_user_locks dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs -dir_perms_world_writable_root_owned dir_perms_world_writable_sticky_bits +dir_perms_world_writable_system_owned directory_group_ownership_var_log_audit directory_groupowner_sshd_config_d directory_owner_sshd_config_d From c5073f8d6218a25c1f9f3f96747f51fe76eaf951 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Feb 2026 18:06:50 +0100 Subject: [PATCH 022/265] set gnome idle timeout to 10 minutes according to updated RHEL-09-271065 --- products/rhel9/controls/stig_rhel9.yml | 1 + tests/data/profile_stability/rhel9/stig.profile | 1 + tests/data/profile_stability/rhel9/stig_gui.profile | 1 + 3 files changed, 3 insertions(+) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index d048f47b498f..69d7348f1342 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -2090,6 +2090,7 @@ controls: title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. rules: - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=10_minutes status: automated - id: RHEL-09-271070 diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 0153ecc82952..3546beec2c9f 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -293,6 +293,7 @@ harden_sshd_ciphers_openssh_conf_crypto_policy harden_sshd_ciphers_opensshserver_conf_crypto_policy harden_sshd_macs_openssh_conf_crypto_policy harden_sshd_macs_opensshserver_conf_crypto_policy +inactivity_timeout_value=10_minutes install_smartcard_packages installed_OS_is_vendor_supported kernel_module_atm_disabled diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index d76fcf98bcca..bb3711203015 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -293,6 +293,7 @@ harden_sshd_ciphers_openssh_conf_crypto_policy harden_sshd_ciphers_opensshserver_conf_crypto_policy harden_sshd_macs_openssh_conf_crypto_policy harden_sshd_macs_opensshserver_conf_crypto_policy +inactivity_timeout_value=10_minutes install_smartcard_packages installed_OS_is_vendor_supported kernel_module_atm_disabled From 65b278f162ee9179eaec46f3a658746a3ddf582e Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 10 Feb 2026 18:35:47 +0100 Subject: [PATCH 023/265] add a warning about a large log volume --- .../audit_rules_mac_modification_var_lib_selinux/rule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml index 0b2cb0cc7328..096b2fa83e8b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml @@ -4,6 +4,8 @@ title: 'Record Events that Modify the System''s Mandatory Access Controls in /va description: |- {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}} + Note that monitoring /var/lib/selinux/ will generate a significant burst of audit events + during both selinux-policy* package upgrade and policy rebuild. rationale: |- The system's mandatory access policy (SELinux) should not be From d7a98a0d05cbae0659899f6f61273c0f33de6a45 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 2 Feb 2026 17:14:12 -0600 Subject: [PATCH 024/265] Remove ssg/shims.py Removing Python 2 compatibility. --- ssg/build_guides.py | 13 +++++---- ssg/contributors.py | 5 ++-- ssg/shims.py | 55 ----------------------------------- tests/ssg_test_suite/oscap.py | 4 +-- utils/fix_rules.py | 3 +- 5 files changed, 11 insertions(+), 69 deletions(-) delete mode 100644 ssg/shims.py diff --git a/ssg/build_guides.py b/ssg/build_guides.py index 15eab17758a7..75bbf84703a6 100644 --- a/ssg/build_guides.py +++ b/ssg/build_guides.py @@ -1,10 +1,11 @@ from __future__ import absolute_import import os +import queue +import subprocess import sys from collections import namedtuple -from .shims import subprocess_check_output, Queue from .xccdf import get_profile_choices_for_input, get_profile_short_id from .xccdf import PROFILE_ID_SKIPLIST from .constants import OSCAP_DS_STRING, OSCAP_PATH @@ -48,7 +49,7 @@ def generate_for_input_content(input_content, benchmark_id, profile_id): args.extend(["--profile", profile_id]) args.append(input_content) - return subprocess_check_output(args).decode("utf-8") + return subprocess.check_output(args).decode("utf-8") def builder(queue): @@ -72,7 +73,7 @@ def builder(queue): guide_file.write(guide_html.encode("utf-8")) queue.task_done() - except Queue.Empty: + except queue.Empty: break except Exception as error: sys.stderr.write( @@ -172,7 +173,7 @@ def fill_queue(benchmarks, benchmark_profile_pairs, input_path, path_base, index_links = [] index_options = {} index_initial_src = None - queue = Queue.Queue() + task_queue = queue.Queue() task = namedtuple('task', ['benchmark_id', 'profile_id', 'input_path', 'guide_path']) @@ -202,9 +203,9 @@ def fill_queue(benchmarks, benchmark_profile_pairs, input_path, path_base, if index_initial_src is None: index_initial_src = guide_filename - queue.put(task(benchmark_id, profile_id, input_path, guide_path)) + task_queue.put(task(benchmark_id, profile_id, input_path, guide_path)) - return index_links, index_options, index_initial_src, queue + return index_links, index_options, index_initial_src, task_queue def build_index(benchmarks, input_basename, index_links, index_options, diff --git a/ssg/contributors.py b/ssg/contributors.py index 2abc9fb4684a..5c81296d148c 100644 --- a/ssg/contributors.py +++ b/ssg/contributors.py @@ -8,8 +8,7 @@ import datetime import re import os.path - -from .shims import subprocess_check_output +import subprocess MANUAL_EDIT_WARNING = """This file is generated using the %s script. DO NOT MANUALLY EDIT!!!! @@ -124,7 +123,7 @@ def generate(): - contributors_md (str): The contributors list in Markdown format. - contributors_xml (str): The contributors list in XML format. """ - output = subprocess_check_output(["git", "shortlog", "-se"]).decode("utf-8") + output = subprocess.check_output(["git", "shortlog", "-se"]).decode("utf-8") contributions_by_email = _get_contributions_by_canonical_email(output) contributors = _get_contributor_email_mapping(contributions_by_email) diff --git a/ssg/shims.py b/ssg/shims.py deleted file mode 100644 index b688420ead27..000000000000 --- a/ssg/shims.py +++ /dev/null @@ -1,55 +0,0 @@ -from __future__ import absolute_import - -import subprocess - -import queue as Queue - - -def subprocess_check_output(*popenargs, **kwargs): - """ - Run command with arguments and return its output as a byte string. - - This function is a backport of subprocess.check_output from Python 2.7 standard library, - compatible with BSD-3. - - Args: - *popenargs: Variable length argument list to pass to subprocess.Popen. - **kwargs: Arbitrary keyword arguments to pass to subprocess.Popen. - - Returns: - bytes: The output of the command. - - Raises: - subprocess.CalledProcessError: If the command exits with a non-zero status. - """ - # Backport of subprocess.check_output taken from - # https://gist.github.com/edufelipe/1027906 - # - # Originally from Python 2.7 stdlib under PSF, compatible with BSD-3 - # Copyright (c) 2003-2005 by Peter Astrand - # Changes by Eduardo Felipe - - process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs) - output, unused_err = process.communicate() - retcode = process.poll() - if retcode: - cmd = kwargs.get("args") - if cmd is None: - cmd = popenargs[0] - error = subprocess.CalledProcessError(retcode, cmd) - error.output = output - raise error - return output - - -if hasattr(subprocess, "check_output"): - # if available we just use the real function - subprocess_check_output = subprocess.check_output - - -def input_func(prompt=None): - try: - return str(raw_input(prompt)) - except NameError: - return input(prompt) - diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py index c828e7eac95f..9a5396cff544 100644 --- a/tests/ssg_test_suite/oscap.py +++ b/tests/ssg_test_suite/oscap.py @@ -15,8 +15,6 @@ from tests.ssg_test_suite import test_env from tests.ssg_test_suite import common -from ssg.shims import input_func - logging.getLogger(__name__).addHandler(logging.NullHandler()) _CONTEXT_RETURN_CODES = {'pass': 0, @@ -316,7 +314,7 @@ def _generate_report_file(self): def _wait_for_continue(self): """ In case user requests to leave machine in failed state for hands on debugging, ask for keypress to continue.""" - input_func("Paused for manual debugging. Continue by pressing return.") + input("Paused for manual debugging. Continue by pressing return.") def prepare_online_scanning_arguments(self): self.command_options.extend([ diff --git a/utils/fix_rules.py b/utils/fix_rules.py index 1708b155253b..efaeb29fbe4c 100755 --- a/utils/fix_rules.py +++ b/utils/fix_rules.py @@ -9,7 +9,6 @@ import re from ssg import yaml, cce, products -from ssg.shims import input_func from ssg.utils import read_file_list import ssg import ssg.products @@ -540,7 +539,7 @@ def fix_file_prompt(path, product_yaml, func, args): response = 'n' if need_input: - response = input_func("Confirm writing output to %s: (y/n): " % path) + response = input("Confirm writing output to %s: (y/n): " % path) if args.assume_yes or response.strip().lower() == 'y': changes = True From 43038906880dd643fe38c2427b9901a4860d8081 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 2 Feb 2026 17:18:09 -0600 Subject: [PATCH 025/265] Add flake8-bugbear to ruff --- ruff.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ruff.toml b/ruff.toml index d5e89e0e13c1..266d8054ff15 100644 --- a/ruff.toml +++ b/ruff.toml @@ -1,9 +1,10 @@ line-length = 99 indent-width = 4 -target-version = "py39" +target-version = "py37" [lint] select = [ + "B", # flake8-bugbear "F", # Pyflakes "E", # pycodestyle "W", # pycodestyle From b682a350b1cbb3608d603839ac7f5d244ac82b23 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 2 Feb 2026 17:28:06 -0600 Subject: [PATCH 026/265] Remove assert False As this might removed in optimized builds --- tests/unit/ssg-module/test_build_renumber.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/unit/ssg-module/test_build_renumber.py b/tests/unit/ssg-module/test_build_renumber.py index 493016892c1b..990ddde20857 100644 --- a/tests/unit/ssg-module/test_build_renumber.py +++ b/tests/unit/ssg-module/test_build_renumber.py @@ -195,8 +195,6 @@ def xccdf_with_no_cce(): def test_verify_correct_form_of_referenced_cce_identifiers_no_cce( xccdf_with_no_cce): - try: - ssg.build_renumber.verify_correct_form_of_referenced_cce_identifiers( + # Should not raise an exception when there's no CCE + ssg.build_renumber.verify_correct_form_of_referenced_cce_identifiers( xccdf_with_no_cce) - except SSGError as e: - assert False, "Raised SSGError: " + str(e) From daca17bd11b04292854e42577f0faa1153d20718 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:20:55 -0600 Subject: [PATCH 027/265] Adjust exception chaining This should make build errors a bit more useful --- build-scripts/collect_remediations.py | 2 +- ssg/build_cpe.py | 6 ++--- ssg/build_renumber.py | 2 +- ssg/build_yaml.py | 8 +++---- ssg/controls.py | 8 +++---- ssg/entities/common.py | 12 +++++----- ssg/entities/profile_base.py | 2 +- ssg/jinja.py | 4 ++-- ssg/playbook_builder.py | 4 ++-- ssg/templates.py | 2 +- tests/automatus.py | 4 ++-- tests/ssg_test_suite/oscap.py | 4 ++-- tests/ssg_test_suite/rule.py | 2 +- tests/ssg_test_suite/test_env.py | 26 ++++++++++----------- tests/ssg_test_suite/virt.py | 2 +- tests/unit/utils/oscal/test_cd_generator.py | 2 +- utils/ansible_playbook_to_role.py | 4 ++-- utils/fix_rules.py | 10 ++++---- utils/oscal/params_extractor.py | 2 +- 19 files changed, 53 insertions(+), 53 deletions(-) diff --git a/build-scripts/collect_remediations.py b/build-scripts/collect_remediations.py index ecf3e867f00d..93eeb7b24f38 100755 --- a/build-scripts/collect_remediations.py +++ b/build-scripts/collect_remediations.py @@ -118,7 +118,7 @@ def collect_remediations( msg = ( "Failed to dispatch {lang} remediation for {rule_id}: {error}" .format(lang=lang, rule_id=rule.id_, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def main(): diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py index dfba1a06090e..56bee9acf778 100644 --- a/ssg/build_cpe.py +++ b/ssg/build_cpe.py @@ -45,7 +45,7 @@ def load_product_cpes(self, env_yaml): product_cpes_list = env_yaml["cpes"] self.load_product_cpes_from_list(product_cpes_list) except KeyError: - raise Exception("Product %s does not define 'cpes'" % (env_yaml["product"])) + raise Exception("Product %s does not define 'cpes'" % (env_yaml["product"])) from None def load_product_cpes_from_list(self, product_cpes_list): for cpe_dict_repr in product_cpes_list: @@ -107,7 +107,7 @@ def get_cpe(self, cpe_id_or_name): cpe_id_or_name) return self.cpes_by_id[cpe_id_or_name] except KeyError: - raise CPEDoesNotExist("CPE %s is not defined" % cpe_id_or_name) + raise CPEDoesNotExist("CPE %s is not defined" % cpe_id_or_name) from None def add_resolved_cpe_items_from_platform(self, platform): for fact_ref in platform.get_fact_refs(): @@ -267,7 +267,7 @@ def create_resolved_cpe_item_for_fact_ref(self, fact_ref): raise KeyError( "The {0} CPE item does not support the argument {1}. " "Following arguments are supported: {2}".format( - self.id_, fact_ref.arg, [a for a in self.args.keys()])) + self.id_, fact_ref.arg, [a for a in self.args.keys()])) from None resolved_parameters.update(fact_ref.as_dict()) cpe_item_as_dict = self.represent_as_dict() cpe_item_as_dict["args"] = None diff --git a/ssg/build_renumber.py b/ssg/build_renumber.py index 11ef6d961346..1c75f45ceb75 100644 --- a/ssg/build_renumber.py +++ b/ssg/build_renumber.py @@ -179,7 +179,7 @@ def link(self): # (either CCE-XXXX-X, or CCE-XXXXX-X). Drop from XCCDF those who don't follow it verify_correct_form_of_referenced_cce_identifiers(self.xccdftree) except SSGError as exc: - raise SSGError("Error processing {0}: {1}".format(self.fname, str(exc))) + raise SSGError("Error processing {0}: {1}".format(self.fname, str(exc))) from exc self.oval_document = self.translator.translate_oval_document( self.oval_document, store_defname=True diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py index 39b428979355..ea834512228e 100644 --- a/ssg/build_yaml.py +++ b/ssg/build_yaml.py @@ -585,7 +585,7 @@ def add_profiles_from_dir(self, dir_, env_yaml, product_cpes): except Exception as exc: msg = ("Error building profile from '{fname}': '{error}'" .format(fname=dir_item_path, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc if new_profile is None: continue @@ -1753,7 +1753,7 @@ def _convert_platform_names(rule, product_cpes): except Exception as e: msg = "Unable to process platforms in rule '%s': %s" % ( rule.id_, str(e)) - raise Exception(msg) + raise Exception(msg) from e cpe_platform = add_platform_if_not_defined( cpe_platform, product_cpes) rule.cpe_platform_names.add(cpe_platform.id_) @@ -1839,7 +1839,7 @@ def normalize(self, product): "Error normalizing '{rule}': {msg}" .format(rule=self.id_, msg=str(exc)) ) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def add_stig_references(self, stig_references): """ @@ -2058,7 +2058,7 @@ def make_refs_and_identifiers_product_specific(self, product): "Error processing {what} for rule '{rid}': {msg}" .format(what=name, rid=self.id_, msg=str(exc)) ) - raise ValueError(msg) + raise ValueError(msg) from exc dic.clear() dic.update(new_items) diff --git a/ssg/controls.py b/ssg/controls.py index 5a077a6d13da..3433af01cfdb 100644 --- a/ssg/controls.py +++ b/ssg/controls.py @@ -307,7 +307,7 @@ def add_references(self, reference_type, rules): "Please remove any duplicate listing of rule '%s' in " "control '%s'." % ( rule.id_, self.id)) - raise ValueError(msg) + raise ValueError(msg) from None class Level(ssg.entities.common.XCCDFEntity): @@ -499,7 +499,7 @@ def _create_control_from_subtree(self, subtree): msg = ( "Unable to parse controls from {filename}: {error}" .format(filename=self.filepath, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc return control def _extract_and_record_subcontrols(self, current_control, controls_tree): @@ -683,7 +683,7 @@ def get_control(self, control_id): msg = "%s not found in policy %s" % ( control_id, self.id ) - raise ValueError(msg) + raise ValueError(msg) from None def get_level(self, level_id): """ @@ -705,7 +705,7 @@ def get_level(self, level_id): msg = "Level %s not found in policy %s" % ( level_id, self.id ) - raise ValueError(msg) + raise ValueError(msg) from None def get_level_with_ancestors_sequence(self, level_id): """ diff --git a/ssg/entities/common.py b/ssg/entities/common.py index 53ec63f074de..80b69a108728 100644 --- a/ssg/entities/common.py +++ b/ssg/entities/common.py @@ -119,7 +119,7 @@ def add_sub_element(parent, tag, ns, data): except Exception: msg = ("Error adding subelement to an element '{0}' from string: '{1}'" .format(parent.tag, ustr)) - raise RuntimeError(msg) + raise RuntimeError(msg) from None # Apart from HTML and XML elements the rule descriptions and similar # also contain elements, where we need to add the prefix @@ -254,13 +254,13 @@ def parse_yaml_into_processed_dict(cls, yaml_file, env_yaml=None, product_cpes=N msg = ( "Error processing {yaml_file}: {exc}" .format(yaml_file=yaml_file, exc=str(exc))) - raise ValueError(msg) + raise ValueError(msg) from exc if yaml_data: msg = ( "Unparsed YAML data in '{yaml_file}': {keys}" .format(yaml_file=yaml_file, keys=list(yaml_data.keys()))) - raise RuntimeError(msg) + raise RuntimeError(msg) from None if not processed_data.get("definition_location", ""): processed_data["definition_location"] = yaml_file @@ -296,7 +296,7 @@ def from_yaml(cls, yaml_file, env_yaml=None, product_cpes=None): msg = ( "Error loading a {class_name} from {filename}: {error}" .format(class_name=cls.__name__, filename=yaml_file, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc result = cls.get_instance_from_full_dict(data_dict) @@ -312,7 +312,7 @@ def from_compiled_json(cls, json_file_path, env_yaml=None, product_cpes=None): msg = ( "Error loading a {class_name} from {filename}: {error}" .format(class_name=cls.__name__, filename=json_file_path, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc result = cls.get_instance_from_full_dict(data_dict) @@ -465,7 +465,7 @@ def get_template_name(self): return self.template["name"] except KeyError: raise ValueError( - "Templatable {0} is missing template name under template key".format(self)) + "Templatable {0} is missing template name under template key".format(self)) from None def get_template_context(self, env_yaml): # TODO: The first two variables, 'rule_id' and 'rule_title' are expected by some diff --git a/ssg/entities/profile_base.py b/ssg/entities/profile_base.py index c1fd9ddb3987..9cbb67920b8f 100644 --- a/ssg/entities/profile_base.py +++ b/ssg/entities/profile_base.py @@ -84,7 +84,7 @@ def process_input_dict(cls, input_contents, env_yaml, product_cpes): msg = ( "Unsupported platform '{platform}' in a profile." .format(platform=platform)) - raise CPEDoesNotExist(msg) + raise CPEDoesNotExist(msg) from None allowed_profile_statuses = ["draft", "interim", "accepted", "deprecated"] if input_contents["status"] and input_contents["status"] not in allowed_profile_statuses: diff --git a/ssg/jinja.py b/ssg/jinja.py index 50e55b8c847e..9b5dbdb42445 100644 --- a/ssg/jinja.py +++ b/ssg/jinja.py @@ -66,7 +66,7 @@ def get_source(self, environment, template): except Exception as exc: msg = ("Error reading file {template}: {exc}" .format(template=template, exc=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc finally: template_file.close() @@ -255,7 +255,7 @@ def _load_macros_from_directory(macros_directory, substitutions_dict): except Exception as exc: msg = ("Error extracting macro definitions from '{1}': {0}" .format(str(exc), filename)) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def _load_macros(macros_directory, substitutions_dict=None): diff --git a/ssg/playbook_builder.py b/ssg/playbook_builder.py index 0be06e2adf43..d5e67fa4cf92 100644 --- a/ssg/playbook_builder.py +++ b/ssg/playbook_builder.py @@ -50,7 +50,7 @@ def choose_variable_value(self, var_id, variables, refinements): try: options = variables[var_id] except KeyError: - raise ValueError("Variable '%s' doesn't exist." % var_id) + raise ValueError("Variable '%s' doesn't exist." % var_id) from None try: value = options[selector] except KeyError: @@ -67,7 +67,7 @@ def choose_variable_value(self, var_id, variables, refinements): "Selector '%s' doesn't exist in variable '%s'. " "Available selectors: %s." % (selector, var_id, ", ".join(options.keys())) - ) + ) from None return value def get_data_from_snippet(self, snippet_yaml, variables, refinements): diff --git a/ssg/templates.py b/ssg/templates.py index 883382462c05..862b75b962fa 100644 --- a/ssg/templates.py +++ b/ssg/templates.py @@ -382,7 +382,7 @@ def get_lang_contents_for_templatable(self, templatable, language): language, local_env_yaml) except Exception as e: raise RuntimeError("Unable to generate {0} template language for Templatable {1}: {2}" - .format(language.name, templatable, e)) + .format(language.name, templatable, e)) from e def write_lang_contents_for_templatable(self, filled_template, lang, templatable): """ diff --git a/tests/automatus.py b/tests/automatus.py index 560a938323f0..3dfc4770d6d9 100755 --- a/tests/automatus.py +++ b/tests/automatus.py @@ -432,7 +432,7 @@ def normalize_passed_arguments(options): options.benchmark_id = bench_id except RuntimeError as exc: msg = "Error inferring benchmark ID from component refId: {}".format(str(exc)) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc if options.docker: options.test_env = ssg_test_suite.test_env.DockerTestEnv( @@ -469,7 +469,7 @@ def normalize_passed_arguments(options): options.benchmark_cpes = benchmark_cpes except RuntimeError as exc: msg = "Error inferring platform from benchmark: {}".format(str(exc)) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def main(): diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py index 9a5396cff544..141abb00ff60 100644 --- a/tests/ssg_test_suite/oscap.py +++ b/tests/ssg_test_suite/oscap.py @@ -700,7 +700,7 @@ def start(self): except Exception as exc: msg = ("Failed to start test environment '{0}': {1}" .format(self.test_env.name, str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def finalize(self): if not self.executed_tests: @@ -711,7 +711,7 @@ def finalize(self): except Exception as exc: msg = ("Failed to finalize test environment '{0}': {1}" .format(self.test_env.name, str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc REMEDIATION_PROFILE_RUNNERS = { diff --git a/tests/ssg_test_suite/rule.py b/tests/ssg_test_suite/rule.py index 5d8acbe19393..820b9d488bdb 100644 --- a/tests/ssg_test_suite/rule.py +++ b/tests/ssg_test_suite/rule.py @@ -272,7 +272,7 @@ def _prepare_environment(self, test_content_by_rule_id): self.test_env, test_content_by_rule_id) except RuntimeError as exc: msg = "Unable to upload test scripts: {more_info}".format(more_info=str(exc)) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc self._ensure_package_present_for_all_scenarios(test_content_by_rule_id) diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py index 63bd416c9e33..3d9d422e0b90 100644 --- a/tests/ssg_test_suite/test_env.py +++ b/tests/ssg_test_suite/test_env.py @@ -157,7 +157,7 @@ def scp_transfer_file(self, source, destination, log_file, error_msg=None): except Exception as exc: error_msg = error_msg + ": " + str(exc) logging.error(error_msg) - raise RuntimeError(error_msg) + raise RuntimeError(error_msg) from exc def finalize(self): """ @@ -221,7 +221,7 @@ def __init__(self, mode, hypervisor, domain_name, keep_snapshots): import libvirt except ImportError: raise RuntimeError("Can't import libvirt module, libvirt backend will " - "therefore not work.") + "therefore not work.") from None self.domain = None @@ -367,13 +367,13 @@ def get_ssh_port(self): "This usually means that the container backend reported its configuration " "in an unexpected format." ) - raise RuntimeError(msg) + raise RuntimeError(msg) from None if self.internal_ssh_port in ports: ssh_port = ports[self.internal_ssh_port] else: msg = "Unable to detect the SSH port for the container." - raise RuntimeError(msg) + raise RuntimeError(msg) from None else: ssh_port = self.internal_ssh_port return ssh_port @@ -455,7 +455,7 @@ def __init__(self, mode, image_name): try: import docker except ImportError: - raise RuntimeError("Can't import the docker module, Docker backend will not work.") + raise RuntimeError("Can't import the docker module, Docker backend will not work.") from None try: self.client = docker.from_env(version="auto") self.client.ping() @@ -466,7 +466,7 @@ def __init__(self, mode, image_name): "is the Docker service started " "and do you have rights to access it?" .format(str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def _commit(self, container, image): container.commit(repository=image) @@ -521,7 +521,7 @@ def _commit(self, container, image): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e def _new_container_from_image(self, image_name, container_name): long_name = "{0}_{1}".format(self._name_stem, container_name) @@ -540,7 +540,7 @@ def _new_container_from_image(self, image_name, container_name): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e container_id = podman_output.decode("utf-8").strip() return container_id @@ -554,7 +554,7 @@ def get_ip_address(self): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e ip_address = podman_output.decode("utf-8").strip() if not ip_address: ip_address = "localhost" @@ -568,7 +568,7 @@ def _get_container_ports(self, container): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e return self.extract_port_map(json.loads(podman_output)) def extract_port_map(self, podman_network_data): @@ -591,14 +591,14 @@ def _terminate_current_running_container_if_applicable(self): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e podman_cmd = ["podman", "rm", running_state] try: subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e def _remove_image(self, image): podman_cmd = ["podman", "rmi", image] @@ -607,7 +607,7 @@ def _remove_image(self, image): except subprocess.CalledProcessError as e: msg = "Command '{0}' returned {1}:\n{2}".format( " ".join(e.cmd), e.returncode, e.output.decode("utf-8")) - raise RuntimeError(msg) + raise RuntimeError(msg) from e def _local_oscap_check_base_arguments(self): raise NotImplementedError("OpenSCAP doesn't support offline scanning of Podman Containers") diff --git a/tests/ssg_test_suite/virt.py b/tests/ssg_test_suite/virt.py index 1c88ddb44d2c..98b76de18248 100644 --- a/tests/ssg_test_suite/virt.py +++ b/tests/ssg_test_suite/virt.py @@ -194,7 +194,7 @@ def reboot_domain(domain, domain_ip, ssh_port): str_err = ("Timeout reached: '{0}' ({1}:{2}) domain does not " "accept connections.".format(domain.name(), domain_ip, ssh_port)) logging.debug(str_err) - raise TimeoutError(str_err) + raise TimeoutError(str_err) from None else: ssh_socket.close() break diff --git a/tests/unit/utils/oscal/test_cd_generator.py b/tests/unit/utils/oscal/test_cd_generator.py index 313499a61e48..1d210995779a 100644 --- a/tests/unit/utils/oscal/test_cd_generator.py +++ b/tests/unit/utils/oscal/test_cd_generator.py @@ -57,7 +57,7 @@ def vendor_dir() -> Generator[str, None, None]: except Exception as e: raise TrestleError( f"Initialization failed for temporary trestle directory: {e}." - ) + ) from e yield tmpdir diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index e30bac625481..257359acdad9 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -22,7 +22,7 @@ except ImportError: print("Please install PyGithub, you need a specific version of pygithub, install it through $ pip install \"PyGithub>=1.58.2,<2.0\"", file=sys.stderr) - raise SystemExit(1) + raise SystemExit(1) from None try: @@ -31,7 +31,7 @@ from ssg.utils import mkdir_p except ImportError: print("Unable to find the ssg module. Please run 'source .pyenv.sh'", file=sys.stderr) - raise SystemExit(1) + raise SystemExit(1) from None def memoize(f): diff --git a/utils/fix_rules.py b/utils/fix_rules.py index efaeb29fbe4c..71fd850c1cb0 100755 --- a/utils/fix_rules.py +++ b/utils/fix_rules.py @@ -438,7 +438,7 @@ def has_product_cce(yaml_contents, product): if not yaml_contents[section]: return False - for i_type, i_value in yaml_contents[section].items(): + for i_type, _ in yaml_contents[section].items(): if i_type[0:3] != 'cce' or "@" not in i_type: continue @@ -498,7 +498,7 @@ def _fixed_file_contents(path, file_contents, product_yaml, func): new_file_contents = func(file_contents, yaml_contents) except Exception as exc: msg = "Refusing to fix file: {path}: {error}".format(path=path, error=str(exc)) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc return new_file_contents @@ -575,16 +575,16 @@ def is_relevant_rule(rule_path, rule, rule_lines): cce = cce_pool.random_cce() - def fix_callback(file_contents, yaml_contents): + def fix_callback(file_contents, yaml_contents, cce=cce): return add_product_cce(file_contents, yaml_contents, product_yaml["product"], cce) try: changes = fix_file(rule_path, product_yaml, fix_callback) except RuntimeError as exc: - msg = ( # noqa: F841 + msg = ( "Error adding CCE into {rule_path}: {exc}" .format(rule_path=rule_path, exc=str(exc))) - raise RuntimeError(exc) + raise RuntimeError(msg) from exc if changes: cce_pool.remove_cce_from_file(cce) diff --git a/utils/oscal/params_extractor.py b/utils/oscal/params_extractor.py index e69aeb2c2f67..283e97bffd93 100644 --- a/utils/oscal/params_extractor.py +++ b/utils/oscal/params_extractor.py @@ -110,7 +110,7 @@ def _load_param_info(self, param_id: str) -> ParamInfo: logger.info(f"Adding parameter {parameter_id}") return param_obj except KeyError as e: - raise ValueError(f"Could not find parameter {param_id}: {e}") + raise ValueError(f"Could not find parameter {param_id}: {e}") from e except ValueError as e: logger.warning(f"Var file {file} has missing fields: {e}") return param_obj From 627431396faf7fd25a605ce982713d36dee5cb07 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:24:01 -0600 Subject: [PATCH 028/265] Adjust re.sub inn ssg/ansible.py 1. re.M to re.MULTILINE for better clarity 2. Added `count` kwarg for clarity --- ssg/ansible.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssg/ansible.py b/ssg/ansible.py index 3eb3eca83e5f..d30ecd991c55 100644 --- a/ssg/ansible.py +++ b/ssg/ansible.py @@ -67,7 +67,7 @@ def remove_too_many_blank_lines(ansible_src): Returns: str: The modified string with excessive blank lines reduced. """ - return re.sub(r'\n{4,}', '\n\n\n', ansible_src, 0, flags=re.M) + return re.sub(r'\n{4,}', '\n\n\n', ansible_src, count=0, flags=re.MULTILINE) def remove_trailing_whitespace(ansible_src): @@ -81,7 +81,7 @@ def remove_trailing_whitespace(ansible_src): str: The Ansible source code with trailing whitespace removed from each line. """ - return re.sub(r'[ \t]+$', '', ansible_src, 0, flags=re.M) + return re.sub(r'[ \t]+$', '', ansible_src, count=0, flags=re.MULTILINE) package_facts_task = collections.OrderedDict([ From 421afa06a2d2e1ae35666d907ffa9382f88c781a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:25:10 -0600 Subject: [PATCH 029/265] Don't compare types with `is` use isinstance --- ssg/boolean_expression.py | 2 +- ssg/build_remediations.py | 2 +- ssg/controls.py | 2 +- utils/ansible_shell_diff.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ssg/boolean_expression.py b/ssg/boolean_expression.py index 740bf3eb4252..b13b90d639d0 100644 --- a/ssg/boolean_expression.py +++ b/ssg/boolean_expression.py @@ -71,7 +71,7 @@ def __call__(self, **kwargs): full_name += '[' + self.arg + ']' val = kwargs.get(full_name, False) if self.requirement.has_version_specs(): - if type(val) is str: + if isinstance(val, str): return val in self.requirement return False return bool(val) diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py index 8ce637eff8fe..9c3ef1c3eb3e 100644 --- a/ssg/build_remediations.py +++ b/ssg/build_remediations.py @@ -391,7 +391,7 @@ def inject_package_facts_task(self, parsed_snippet): # When clause of the task can be string or a list, lets normalize to list task_when = p_task.get("when", "") - if type(task_when) is str: + if isinstance(task_when, str): task_when = [task_when] for when in task_when: if "ansible_facts.packages" in when: diff --git a/ssg/controls.py b/ssg/controls.py index 3433af01cfdb..a3dbd7e576f5 100644 --- a/ssg/controls.py +++ b/ssg/controls.py @@ -254,7 +254,7 @@ def from_control_dict(cls, control_dict, env_yaml=None, default_level=["default" % (control.automated, control.id, control.title)) raise ValueError(msg) control.levels = control_dict.get("levels", default_level) - if type(control.levels) is not list: + if not isinstance(control.levels, list): msg = "Levels for %s must be an array" % control.id raise ValueError(msg) control.notes = control_dict.get("notes", "") diff --git a/utils/ansible_shell_diff.py b/utils/ansible_shell_diff.py index 48d5f447102d..8c55ea1f79f2 100755 --- a/utils/ansible_shell_diff.py +++ b/utils/ansible_shell_diff.py @@ -25,7 +25,7 @@ def get_shell_tasks(tasks): for task in tasks: for task_name in ['shell', 'ansible.builtin.shell', 'command', 'ansible.builtin.command']: if task_name in task: - if type(task[task_name]) is dict and 'cmd' in task[task_name]: + if isinstance(task[task_name], dict) and 'cmd' in task[task_name]: shell_tasks.append(task[task_name]['cmd']) else: shell_tasks.append(task[task_name]) From c5fc9bf628cd92b096d67d9c6f1a5cc30cab70e4 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:26:25 -0600 Subject: [PATCH 030/265] Remove mutable defaults from functions --- ssg/controls.py | 4 +++- ssg/yaml.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ssg/controls.py b/ssg/controls.py index a3dbd7e576f5..c537bb1baf6d 100644 --- a/ssg/controls.py +++ b/ssg/controls.py @@ -211,7 +211,7 @@ def _check_keys(cls, control_dict): raise ValueError("Key %s is not allowed in a control file." % key) @classmethod - def from_control_dict(cls, control_dict, env_yaml=None, default_level=["default"]): + def from_control_dict(cls, control_dict, env_yaml=None, default_level=None): """ Create a control instance from a dictionary of control attributes. @@ -227,6 +227,8 @@ def from_control_dict(cls, control_dict, env_yaml=None, default_level=["default" Raises: ValueError: If the 'automated' key has an invalid value or if 'levels' is not a list. """ + if default_level is None: + default_level = ["default"] cls._check_keys(control_dict) control = cls() control.id = ssg.utils.required_key(control_dict, "id") diff --git a/ssg/yaml.py b/ssg/yaml.py index d356c39f3a68..a52aa65d5327 100644 --- a/ssg/yaml.py +++ b/ssg/yaml.py @@ -118,7 +118,7 @@ def _get_yaml_contents_without_documentation_complete(parsed_yaml, substitutions return parsed_yaml -def _open_yaml(stream, original_file=None, substitutions_dict={}): +def _open_yaml(stream, original_file=None, substitutions_dict=None): """ Open given file-like object and parse it as YAML. @@ -137,6 +137,8 @@ def _open_yaml(stream, original_file=None, substitutions_dict={}): set to "false". Exception: For any other exceptions, including tab indentation errors in the file. """ + if substitutions_dict is None: + substitutions_dict = {} try: yaml_contents = yaml.load(stream, Loader=yaml_SafeLoader) From 250f3cdf7f7ad1d5df7b087f0236bd4dac0e734e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:27:46 -0600 Subject: [PATCH 031/265] Remove loop variable shadowing utils/generate_profile.py Adjust control flow as well. --- utils/generate_profile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/generate_profile.py b/utils/generate_profile.py index b02b12b839ea..bd7917581a7e 100755 --- a/utils/generate_profile.py +++ b/utils/generate_profile.py @@ -194,8 +194,8 @@ def _generate(self, node: pycompliance.Node) -> dict: d['levels'] = node.level.replace(' ', '_').lower() if node.children: d['controls'] = [] - for node in node.children: - d['controls'].append(self._generate(node)) + for sub_node in node.children: + d['controls'].append(self._generate(sub_node)) return d From eb618af68ec4a0783be7de2931e22c59e8cb2289 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:33:16 -0600 Subject: [PATCH 032/265] Remove unused variables in loops Unused variables in loops changed in `_` for clarity. --- tests/ssg_test_suite/rule.py | 2 +- tests/ssg_test_suite/virt.py | 2 +- tests/stable_profile_ids.py | 2 +- tests/test_profile_stability.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/ssg_test_suite/rule.py b/tests/ssg_test_suite/rule.py index 820b9d488bdb..691e71fd1b0e 100644 --- a/tests/ssg_test_suite/rule.py +++ b/tests/ssg_test_suite/rule.py @@ -302,7 +302,7 @@ def _get_rules_to_test(self): self.datastream, self.benchmark_id) rules = [] - for dirpath, dirnames, filenames in common.walk_through_benchmark_dirs( + for dirpath, _, _ in common.walk_through_benchmark_dirs( product): if not is_rule_dir(dirpath): continue diff --git a/tests/ssg_test_suite/virt.py b/tests/ssg_test_suite/virt.py index 98b76de18248..17a4816acda1 100644 --- a/tests/ssg_test_suite/virt.py +++ b/tests/ssg_test_suite/virt.py @@ -144,7 +144,7 @@ def determine_ip(domain): 0) # get IPv4 address of the guest - for (name, val) in ifaces.items(): + for (_, val) in ifaces.items(): if val['hwaddr'] == domain_mac and val['addrs']: for ipaddr in val['addrs']: if ipaddr['type'] == libvirt.VIR_IP_ADDR_TYPE_IPV4: diff --git a/tests/stable_profile_ids.py b/tests/stable_profile_ids.py index 35a3cc8923c6..d71cac6f3e56 100755 --- a/tests/stable_profile_ids.py +++ b/tests/stable_profile_ids.py @@ -56,7 +56,7 @@ def gather_profiles_from_datastream(path, build_dir, profiles_per_benchmark): benchmark_profile_pairs = ssg.build_guides.get_benchmark_profile_pairs( input_tree, benchmarks) - for bench_id, profile_id, title in benchmark_profile_pairs: + for bench_id, profile_id, _ in benchmark_profile_pairs: bench_short_id = bench_id[len(BENCHMARK_ID_PREFIX):] if respective_datastream_absent(bench_short_id, build_dir): continue diff --git a/tests/test_profile_stability.py b/tests/test_profile_stability.py index 8d89dfc8b67d..d72b3af2f79d 100644 --- a/tests/test_profile_stability.py +++ b/tests/test_profile_stability.py @@ -34,7 +34,7 @@ def compare_sets(reference, sample): def get_references_filenames(ref_root): found = [] - for root, dirs, files in os.walk(ref_root): + for root, _, files in os.walk(ref_root): for basename in files: if fnmatch.fnmatch(basename, "*.profile"): filename = os.path.join(root, basename) From c7d3cdc0551da1f4a5df3df4143c1879034687e0 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:33:52 -0600 Subject: [PATCH 033/265] Fix Multi character string in strip is misleading --- utils/ansible_playbook_to_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index 257359acdad9..a01579f92103 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -280,7 +280,7 @@ def _description(self): break else: desc += (line + "\n") - return desc.strip("\n\n") + return desc.strip("\n") @property def _update_galaxy_tags(self): From f71fdb9b2c2e75e0cecb39f2e815c6bbd1838473 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:36:08 -0600 Subject: [PATCH 034/265] Replace ineffective next with continue --- utils/ansible_playbook_to_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index a01579f92103..4faeb7ca3690 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -197,7 +197,7 @@ def added_variables(self): variables = set() for task in self.tasks_data: if "tags" not in task: - next + continue if "when" not in task: task["when"] = [] elif isinstance(task["when"], str): From 9d2c21a79461508a1efb62eacfd8b8a3adb5ca33 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 07:36:32 -0600 Subject: [PATCH 035/265] Adjust pytest.raises to be more specific --- tests/unit/ssg-module/test_build_yaml.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/test_build_yaml.py b/tests/unit/ssg-module/test_build_yaml.py index 60e703a8fdf4..38c2802f4b98 100644 --- a/tests/unit/ssg-module/test_build_yaml.py +++ b/tests/unit/ssg-module/test_build_yaml.py @@ -572,7 +572,8 @@ def test_profile_with_version(profile_with_version): profile_el = profile_with_version.to_xml_element() assert profile_el.find("{%s}version" % XCCDF12_NS).text == "3.2.1" + def test_profile_ospp_with_invalid_status(): value_file = os.path.join(DATADIR, "ospp_invalid_status.profile") - with pytest.raises(Exception): + with pytest.raises(RuntimeError): profile = ssg.build_yaml.Profile.from_yaml(value_file) # noqa: F841 From 219fa5425bff485fe973365d235035b5c3296c60 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 10:28:31 -0600 Subject: [PATCH 036/265] Make the pyproject reflect 3.6+ nature of the project. --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 3acf91a4a68b..6290304e2901 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ dependencies = [ "Jinja2", "setuptools" ] -requires-python = ">= 3" +requires-python = ">=3.6" maintainers = [ {name = "Gabriel Gaspar Becker", email = "ggasparb@redhat.com"}, {name = "Jan Cerny", email = "jcerny@redhat.com"}, From 4d2cddcaed10121ca4b893269b0aa8e3282c97ad Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Feb 2026 10:47:18 -0600 Subject: [PATCH 037/265] Fix potential NameError in params_extractor exception handler If error happened before param_obj was set this method could have return NameError. Adding a logging line then returning. --- utils/oscal/params_extractor.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/utils/oscal/params_extractor.py b/utils/oscal/params_extractor.py index 283e97bffd93..a329dc6c05b2 100644 --- a/utils/oscal/params_extractor.py +++ b/utils/oscal/params_extractor.py @@ -96,6 +96,7 @@ def get_all_selected_values(self) -> Dict[str, str]: def _load_param_info(self, param_id: str) -> ParamInfo: """Load the param from the var file.""" + file = None try: file = self.param_files_for_product[param_id] value_yaml = ssg.build_yaml.Value.from_yaml(file, self.env_yaml) @@ -113,4 +114,4 @@ def _load_param_info(self, param_id: str) -> ParamInfo: raise ValueError(f"Could not find parameter {param_id}: {e}") from e except ValueError as e: logger.warning(f"Var file {file} has missing fields: {e}") - return param_obj + raise From 463ebccb031f5382365ef92401f3718859d4ddf3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 5 Feb 2026 12:50:44 -0600 Subject: [PATCH 038/265] Fix variable shadowing in ssg/build_guides.py --- ssg/build_guides.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ssg/build_guides.py b/ssg/build_guides.py index 75bbf84703a6..c54580df484a 100644 --- a/ssg/build_guides.py +++ b/ssg/build_guides.py @@ -52,7 +52,7 @@ def generate_for_input_content(input_content, benchmark_id, profile_id): return subprocess.check_output(args).decode("utf-8") -def builder(queue): +def builder(task_queue): """ Fetch from a queue of tasks, process tasks until the queue is empty. Each task is processed with generate_for_input_content, and the @@ -63,7 +63,7 @@ def builder(queue): while True: try: benchmark_id, profile_id, input_path, guide_path = \ - queue.get(False) + task_queue.get(False) guide_html = generate_for_input_content( input_path, benchmark_id, profile_id @@ -72,7 +72,7 @@ def builder(queue): with open(guide_path, "wb") as guide_file: guide_file.write(guide_html.encode("utf-8")) - queue.task_done() + task_queue.task_done() except queue.Empty: break except Exception as error: @@ -80,8 +80,8 @@ def builder(queue): "Fatal error encountered when generating guide '%s'. " "Error details:\n%s\n\n" % (guide_path, error) ) - with queue.mutex: - queue.queue.clear() + with task_queue.mutex: + task_queue.queue.clear() raise error From 01742ec8d96156bfd0f2717a057c7e6842c0ca12 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 5 Feb 2026 12:51:54 -0600 Subject: [PATCH 039/265] Adjust formatting for comment in tests/unit/ssg-module/test_build_renumber.py --- tests/unit/ssg-module/test_build_renumber.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/test_build_renumber.py b/tests/unit/ssg-module/test_build_renumber.py index 990ddde20857..90db64ecfa20 100644 --- a/tests/unit/ssg-module/test_build_renumber.py +++ b/tests/unit/ssg-module/test_build_renumber.py @@ -195,6 +195,6 @@ def xccdf_with_no_cce(): def test_verify_correct_form_of_referenced_cce_identifiers_no_cce( xccdf_with_no_cce): - # Should not raise an exception when there's no CCE + # Should not raise an exception when there's no CCE ssg.build_renumber.verify_correct_form_of_referenced_cce_identifiers( xccdf_with_no_cce) From 805f03fe770d261e8ebc30f5eeb0b251ff4c9525 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Wed, 11 Feb 2026 00:15:15 +0100 Subject: [PATCH 040/265] audit_rules_watch fail tests sed update --- tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh | 3 ++- .../audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh | 3 ++- .../augenrules_wrong_rule_without_key.fail.sh | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh index fd2392404e5d..5151b4181df1 100644 --- a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh +++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh @@ -2,7 +2,8 @@ # packages = audit if [[ "$style" == "modern" ]] ; then - sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules + escaped_path=$(echo "$path" | sed 's/\//\\\//g') + sed -i "/$filter_type=$escaped_path/d" /etc/audit/audit.rules echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules else diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh index ed0cb28f15fa..98b0fdbcc042 100644 --- a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh +++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh @@ -2,7 +2,8 @@ # packages = audit if [[ "$style" == "modern" ]] ; then - sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules + escaped_path=$(echo "$path" | sed 's/\//\\\//g') + sed -i "/$filter_type=$escaped_path/d" /etc/audit/audit.rules echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules else diff --git a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh index 841ad9ea2974..b5a1cb50b7a6 100644 --- a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh +++ b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh @@ -3,7 +3,8 @@ if [[ "$style" == "modern" ]] ; then - sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/rules.d/*.rules 2>/dev/null || true + escaped_path=$(echo "$path" | sed 's/\//\\\//g') + sed -i "/$filter_type=$escaped_path/d" /etc/audit/rules.d/*.rules 2>/dev/null || true echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules else From c8733ac3b0bd8ff34025b95defee96a9a8ca4614 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 11:57:26 +0100 Subject: [PATCH 041/265] rhel9: logind_session_timeout switch to dropin file --- .../logind_session_timeout/ansible/shared.yml | 2 +- .../accounts-physical/logind_session_timeout/bash/shared.sh | 2 +- .../accounts-physical/logind_session_timeout/oval/shared.xml | 4 ++-- .../accounts-physical/logind_session_timeout/tests/common.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml index 13dbf9ec612f..953b012f9bb6 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml @@ -6,7 +6,7 @@ {{{ ansible_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["rhel9", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh index 72a2ca90de7e..bf779b4c5825 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh @@ -2,7 +2,7 @@ {{{ bash_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["rhel9", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml index e4466d9b0c9b..d920c76d80f1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["rhel9", "sle15", "sle16"] %}} {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}} {{% else %}} {{% set logind_conf_file = "/etc/systemd/logind.conf" %}} @@ -6,7 +6,7 @@ - {{% if product in ["sle15", "sle16"] %}} + {{% if product in ["rhel9", "sle15", "sle16"] %}} {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh index 441b663d9240..aeb406f144d8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh @@ -3,7 +3,7 @@ # this file prepares unified test environment used by other scenarios # These should be tuned per product to match defaults -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["rhel9", "sle15", "sle16"] %}} LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" mkdir -p /etc/systemd/logind.conf.d/ {{% else %}} From b1b5adbe8ebdc1c2a4994fbc1b50856113bb01ad Mon Sep 17 00:00:00 2001 From: cealcorn Date: Tue, 10 Feb 2026 21:29:19 -0800 Subject: [PATCH 042/265] fixed errors bascontrol22d4 commented out in ./CMakeLists.txt --- CMakeLists.txt | 6 +- build/.gitkeep | 0 products/bascontrol22d4/CMakeCache.txt | 374 ------------------ products/bascontrol22d4/product.yml | 8 +- .../bascontrol22d4/profiles/standard.profile | 3 +- ssg/constants.py | 2 +- 6 files changed, 9 insertions(+), 384 deletions(-) delete mode 100644 build/.gitkeep delete mode 100644 products/bascontrol22d4/CMakeCache.txt diff --git a/CMakeLists.txt b/CMakeLists.txt index 7d48dcbe37a3..6ac1cd172e18 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -399,9 +399,9 @@ endif() if(SSG_PRODUCT_ANOLIS23) add_subdirectory("products/anolis23" "anolis23") endif() -if(SSG_PRODUCT_BASCONTROL22D4) - add_subdirectory("products/bascontrol22d4" "bascontrol22d4") -endif() +#if(SSG_PRODUCT_BASCONTROL22D4) +# add_subdirectory("products/bascontrol22d4" "bascontrol22d4") +#endif() if(SSG_PRODUCT_DEBIAN11) add_subdirectory("products/debian11" "debian11") endif() diff --git a/build/.gitkeep b/build/.gitkeep deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/products/bascontrol22d4/CMakeCache.txt b/products/bascontrol22d4/CMakeCache.txt deleted file mode 100644 index ee9244e33dc8..000000000000 --- a/products/bascontrol22d4/CMakeCache.txt +++ /dev/null @@ -1,374 +0,0 @@ -# This is the CMakeCache file. -# For build in directory: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 -# It was generated by CMake: /usr/bin/cmake -# You can edit this file to change values found and used by cmake. -# If you do not want to change any of the values, simply exit the editor. -# If you do want to change a value, simply edit, save, and exit the editor. -# The syntax for the file is as follows: -# KEY:TYPE=VALUE -# KEY is the name of a variable in the cache. -# TYPE is a hint to GUIs for the type of VALUE, DO NOT EDIT TYPE!. -# VALUE is the current value for the KEY. - -######################## -# EXTERNAL cache entries -######################## - -//Path to a program. -CMAKE_ADDR2LINE:FILEPATH=/usr/bin/addr2line - -//Path to a program. -CMAKE_AR:FILEPATH=/usr/bin/ar - -//For backwards compatibility, what version of CMake commands and -// syntax should this version of CMake try to support. -CMAKE_BACKWARDS_COMPATIBILITY:STRING=2.4 - -//Choose the type of build, options are: None Debug Release RelWithDebInfo -// MinSizeRel ... -CMAKE_BUILD_TYPE:STRING= - -//Enable/Disable color output during build. -CMAKE_COLOR_MAKEFILE:BOOL=ON - -//CXX compiler -CMAKE_CXX_COMPILER:FILEPATH=CMAKE_CXX_COMPILER-NOTFOUND - -//Flags used by the CXX compiler during all build types. -CMAKE_CXX_FLAGS:STRING= - -//Flags used by the CXX compiler during DEBUG builds. -CMAKE_CXX_FLAGS_DEBUG:STRING= - -//Flags used by the CXX compiler during MINSIZEREL builds. -CMAKE_CXX_FLAGS_MINSIZEREL:STRING= - -//Flags used by the CXX compiler during RELEASE builds. -CMAKE_CXX_FLAGS_RELEASE:STRING= - -//Flags used by the CXX compiler during RELWITHDEBINFO builds. -CMAKE_CXX_FLAGS_RELWITHDEBINFO:STRING= - -//C compiler -CMAKE_C_COMPILER:FILEPATH=/usr/bin/cc - -//A wrapper around 'ar' adding the appropriate '--plugin' option -// for the GCC compiler -CMAKE_C_COMPILER_AR:FILEPATH=/usr/bin/gcc-ar - -//A wrapper around 'ranlib' adding the appropriate '--plugin' option -// for the GCC compiler -CMAKE_C_COMPILER_RANLIB:FILEPATH=/usr/bin/gcc-ranlib - -//Flags used by the C compiler during all build types. -CMAKE_C_FLAGS:STRING= - -//Flags used by the C compiler during DEBUG builds. -CMAKE_C_FLAGS_DEBUG:STRING=-g - -//Flags used by the C compiler during MINSIZEREL builds. -CMAKE_C_FLAGS_MINSIZEREL:STRING=-Os -DNDEBUG - -//Flags used by the C compiler during RELEASE builds. -CMAKE_C_FLAGS_RELEASE:STRING=-O3 -DNDEBUG - -//Flags used by the C compiler during RELWITHDEBINFO builds. -CMAKE_C_FLAGS_RELWITHDEBINFO:STRING=-O2 -g -DNDEBUG - -//Path to a program. -CMAKE_DLLTOOL:FILEPATH=CMAKE_DLLTOOL-NOTFOUND - -//Flags used by the linker during all build types. -CMAKE_EXE_LINKER_FLAGS:STRING= - -//Flags used by the linker during DEBUG builds. -CMAKE_EXE_LINKER_FLAGS_DEBUG:STRING= - -//Flags used by the linker during MINSIZEREL builds. -CMAKE_EXE_LINKER_FLAGS_MINSIZEREL:STRING= - -//Flags used by the linker during RELEASE builds. -CMAKE_EXE_LINKER_FLAGS_RELEASE:STRING= - -//Flags used by the linker during RELWITHDEBINFO builds. -CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO:STRING= - -//Enable/Disable output of compile commands during generation. -CMAKE_EXPORT_COMPILE_COMMANDS:BOOL= - -//Value Computed by CMake. -CMAKE_FIND_PACKAGE_REDIRECTS_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/pkgRedirects - -//Install path prefix, prepended onto install directories. -CMAKE_INSTALL_PREFIX:PATH=/usr/local - -//Path to a program. -CMAKE_LINKER:FILEPATH=/usr/bin/ld - -//Path to a program. -CMAKE_MAKE_PROGRAM:FILEPATH=/usr/bin/gmake - -//Flags used by the linker during the creation of modules during -// all build types. -CMAKE_MODULE_LINKER_FLAGS:STRING= - -//Flags used by the linker during the creation of modules during -// DEBUG builds. -CMAKE_MODULE_LINKER_FLAGS_DEBUG:STRING= - -//Flags used by the linker during the creation of modules during -// MINSIZEREL builds. -CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL:STRING= - -//Flags used by the linker during the creation of modules during -// RELEASE builds. -CMAKE_MODULE_LINKER_FLAGS_RELEASE:STRING= - -//Flags used by the linker during the creation of modules during -// RELWITHDEBINFO builds. -CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO:STRING= - -//Path to a program. -CMAKE_NM:FILEPATH=/usr/bin/nm - -//Path to a program. -CMAKE_OBJCOPY:FILEPATH=/usr/bin/objcopy - -//Path to a program. -CMAKE_OBJDUMP:FILEPATH=/usr/bin/objdump - -//Value Computed by CMake -CMAKE_PROJECT_DESCRIPTION:STATIC= - -//Value Computed by CMake -CMAKE_PROJECT_HOMEPAGE_URL:STATIC= - -//Value Computed by CMake -CMAKE_PROJECT_NAME:STATIC=Project - -//Path to a program. -CMAKE_RANLIB:FILEPATH=/usr/bin/ranlib - -//Path to a program. -CMAKE_READELF:FILEPATH=/usr/bin/readelf - -//Flags used by the linker during the creation of shared libraries -// during all build types. -CMAKE_SHARED_LINKER_FLAGS:STRING= - -//Flags used by the linker during the creation of shared libraries -// during DEBUG builds. -CMAKE_SHARED_LINKER_FLAGS_DEBUG:STRING= - -//Flags used by the linker during the creation of shared libraries -// during MINSIZEREL builds. -CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL:STRING= - -//Flags used by the linker during the creation of shared libraries -// during RELEASE builds. -CMAKE_SHARED_LINKER_FLAGS_RELEASE:STRING= - -//Flags used by the linker during the creation of shared libraries -// during RELWITHDEBINFO builds. -CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO:STRING= - -//If set, runtime paths are not added when installing shared libraries, -// but are added when building. -CMAKE_SKIP_INSTALL_RPATH:BOOL=NO - -//If set, runtime paths are not added when using shared libraries. -CMAKE_SKIP_RPATH:BOOL=NO - -//Flags used by the linker during the creation of static libraries -// during all build types. -CMAKE_STATIC_LINKER_FLAGS:STRING= - -//Flags used by the linker during the creation of static libraries -// during DEBUG builds. -CMAKE_STATIC_LINKER_FLAGS_DEBUG:STRING= - -//Flags used by the linker during the creation of static libraries -// during MINSIZEREL builds. -CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL:STRING= - -//Flags used by the linker during the creation of static libraries -// during RELEASE builds. -CMAKE_STATIC_LINKER_FLAGS_RELEASE:STRING= - -//Flags used by the linker during the creation of static libraries -// during RELWITHDEBINFO builds. -CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO:STRING= - -//Path to a program. -CMAKE_STRIP:FILEPATH=/usr/bin/strip - -//If this value is on, makefiles will be generated without the -// .SILENT directive, and all commands will be echoed to the console -// during the make. This is useful for debugging only. With Visual -// Studio IDE projects all commands are done without /nologo. -CMAKE_VERBOSE_MAKEFILE:BOOL=FALSE - -//Single output directory for building all executables. -EXECUTABLE_OUTPUT_PATH:PATH= - -//Single output directory for building all libraries. -LIBRARY_OUTPUT_PATH:PATH= - -//Value Computed by CMake -Project_BINARY_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 - -//Value Computed by CMake -Project_IS_TOP_LEVEL:STATIC=ON - -//Value Computed by CMake -Project_SOURCE_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 - - -######################## -# INTERNAL cache entries -######################## - -//ADVANCED property for variable: CMAKE_ADDR2LINE -CMAKE_ADDR2LINE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_AR -CMAKE_AR-ADVANCED:INTERNAL=1 -//This is the directory where this CMakeCache.txt was created -CMAKE_CACHEFILE_DIR:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 -//Major version of cmake used to create the current loaded cache -CMAKE_CACHE_MAJOR_VERSION:INTERNAL=3 -//Minor version of cmake used to create the current loaded cache -CMAKE_CACHE_MINOR_VERSION:INTERNAL=26 -//Patch version of cmake used to create the current loaded cache -CMAKE_CACHE_PATCH_VERSION:INTERNAL=3 -//ADVANCED property for variable: CMAKE_COLOR_MAKEFILE -CMAKE_COLOR_MAKEFILE-ADVANCED:INTERNAL=1 -//Path to CMake executable. -CMAKE_COMMAND:INTERNAL=/usr/bin/cmake -//Path to cpack program executable. -CMAKE_CPACK_COMMAND:INTERNAL=/usr/bin/cpack -//Path to ctest program executable. -CMAKE_CTEST_COMMAND:INTERNAL=/usr/bin/ctest -//ADVANCED property for variable: CMAKE_CXX_COMPILER -CMAKE_CXX_COMPILER-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_CXX_FLAGS -CMAKE_CXX_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_CXX_FLAGS_DEBUG -CMAKE_CXX_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_CXX_FLAGS_MINSIZEREL -CMAKE_CXX_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELEASE -CMAKE_CXX_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELWITHDEBINFO -CMAKE_CXX_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_COMPILER -CMAKE_C_COMPILER-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_COMPILER_AR -CMAKE_C_COMPILER_AR-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_COMPILER_RANLIB -CMAKE_C_COMPILER_RANLIB-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_FLAGS -CMAKE_C_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_FLAGS_DEBUG -CMAKE_C_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_FLAGS_MINSIZEREL -CMAKE_C_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_FLAGS_RELEASE -CMAKE_C_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_C_FLAGS_RELWITHDEBINFO -CMAKE_C_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_DLLTOOL -CMAKE_DLLTOOL-ADVANCED:INTERNAL=1 -//Path to cache edit program executable. -CMAKE_EDIT_COMMAND:INTERNAL=/usr/bin/ccmake -//Executable file format -CMAKE_EXECUTABLE_FORMAT:INTERNAL=ELF -//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS -CMAKE_EXE_LINKER_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_DEBUG -CMAKE_EXE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_MINSIZEREL -CMAKE_EXE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELEASE -CMAKE_EXE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO -CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_EXPORT_COMPILE_COMMANDS -CMAKE_EXPORT_COMPILE_COMMANDS-ADVANCED:INTERNAL=1 -//Name of external makefile project generator. -CMAKE_EXTRA_GENERATOR:INTERNAL= -//Name of generator. -CMAKE_GENERATOR:INTERNAL=Unix Makefiles -//Generator instance identifier. -CMAKE_GENERATOR_INSTANCE:INTERNAL= -//Name of generator platform. -CMAKE_GENERATOR_PLATFORM:INTERNAL= -//Name of generator toolset. -CMAKE_GENERATOR_TOOLSET:INTERNAL= -//Source directory with the top level CMakeLists.txt file for this -// project -CMAKE_HOME_DIRECTORY:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4 -//Install .so files without execute permission. -CMAKE_INSTALL_SO_NO_EXE:INTERNAL=0 -//ADVANCED property for variable: CMAKE_LINKER -CMAKE_LINKER-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MAKE_PROGRAM -CMAKE_MAKE_PROGRAM-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS -CMAKE_MODULE_LINKER_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_DEBUG -CMAKE_MODULE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL -CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELEASE -CMAKE_MODULE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO -CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_NM -CMAKE_NM-ADVANCED:INTERNAL=1 -//number of local generators -CMAKE_NUMBER_OF_MAKEFILES:INTERNAL=1 -//ADVANCED property for variable: CMAKE_OBJCOPY -CMAKE_OBJCOPY-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_OBJDUMP -CMAKE_OBJDUMP-ADVANCED:INTERNAL=1 -//Platform information initialized -CMAKE_PLATFORM_INFO_INITIALIZED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_RANLIB -CMAKE_RANLIB-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_READELF -CMAKE_READELF-ADVANCED:INTERNAL=1 -//Path to CMake installation. -CMAKE_ROOT:INTERNAL=/usr/share/cmake -//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS -CMAKE_SHARED_LINKER_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_DEBUG -CMAKE_SHARED_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL -CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELEASE -CMAKE_SHARED_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO -CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SKIP_INSTALL_RPATH -CMAKE_SKIP_INSTALL_RPATH-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_SKIP_RPATH -CMAKE_SKIP_RPATH-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS -CMAKE_STATIC_LINKER_FLAGS-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_DEBUG -CMAKE_STATIC_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL -CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELEASE -CMAKE_STATIC_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO -CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1 -//ADVANCED property for variable: CMAKE_STRIP -CMAKE_STRIP-ADVANCED:INTERNAL=1 -//uname command -CMAKE_UNAME:INTERNAL=/usr/bin/uname -//ADVANCED property for variable: CMAKE_VERBOSE_MAKEFILE -CMAKE_VERBOSE_MAKEFILE-ADVANCED:INTERNAL=1 -//linker supports push/pop state -_CMAKE_LINKER_PUSHPOP_STATE_SUPPORTED:INTERNAL=TRUE - diff --git a/products/bascontrol22d4/product.yml b/products/bascontrol22d4/product.yml index f0acfc6162dd..16fa4d0d30ba 100644 --- a/products/bascontrol22d4/product.yml +++ b/products/bascontrol22d4/product.yml @@ -11,7 +11,7 @@ profiles_root: "./profiles" cpes_root: "../../shared/applicability" cpes: - bascontrol22d4: - name: "cpe:/o:bascontrol22d:4" - title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4" - check_id: installed_app_is_bascontrol22d4 + - bascontrol22d4: + name: "cpe:/a:bascontrol22d:4" + title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4" + check_id: installed_app_is_bascontrol22d4 diff --git a/products/bascontrol22d4/profiles/standard.profile b/products/bascontrol22d4/profiles/standard.profile index 1cc540965a81..452bbd66ea13 100644 --- a/products/bascontrol22d4/profiles/standard.profile +++ b/products/bascontrol22d4/profiles/standard.profile @@ -6,5 +6,4 @@ description: |- This profile contains rules to ensure standard security baseline of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system. -selections: - - firefox_policy-addons_permission +#selections: diff --git a/ssg/constants.py b/ssg/constants.py index 4bf4a4c4c885..52494ddb4c45 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -214,7 +214,7 @@ "Anolis OS 8": "anolis8", "Anolis OS 23": "anolis23", "Amazon Linux 2023": "al2023", - "Contemporary Controls BAScontrol22D 4": "bascontrol33d4", + "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4": "bascontrol22d4", "Debian 11": "debian11", "Debian 12": "debian12", "Debian 13": "debian13", From 75b5c0d6ce11a0e29e4d924e9931f744592494a1 Mon Sep 17 00:00:00 2001 From: cealcorn Date: Wed, 11 Feb 2026 05:30:28 -0800 Subject: [PATCH 043/265] add benchmark --- products/bascontrol22d4/guide/benchmark.yml | 54 +++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 products/bascontrol22d4/guide/benchmark.yml diff --git a/products/bascontrol22d4/guide/benchmark.yml b/products/bascontrol22d4/guide/benchmark.yml new file mode 100644 index 000000000000..f875507f9b5a --- /dev/null +++ b/products/bascontrol22d4/guide/benchmark.yml @@ -0,0 +1,54 @@ +--- +documentation_complete: true + +title: Guide to the Secure Configuration of {{{ full_name }}} + +status: draft + +description: | + This guide presents a catalog of security-relevant + configuration settings for {{{ full_name }}}. It is a rendering of + content structured in the eXtensible Configuration Checklist Description Format (XCCDF) + in order to support security automation. The SCAP content is + is available in the scap-security-guide package which is developed at + {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}. +

+ Providing system administrators with such guidance informs them how to securely + configure systems under their control in a variety of network roles. Policy + makers and baseline creators can use this catalog of settings, with its + associated references to higher-level security control catalogs, in order to + assist them in security baseline creation. This guide is a catalog, not a + checklist, and satisfaction of every item is not likely to be possible or + sensible in many operational scenarios. However, the XCCDF format enables + granular selection and adjustment of settings, and their association with OVAL + and OCIL content provides an automated checking capability. Transformations of + this document, and its associated automated checking content, are capable of + providing baselines that meet a diverse set of policy objectives. Some example + XCCDF Profiles, which are selections of items that form checklists and + can be used as baselines, are available with this guide. They can be + processed, in an automated fashion, with tools that support the Security + Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}}, + which provides required settings for US Department of Defense systems, is + one example of a baseline created from this guidance. + +notice: + id: terms_of_use + description: | + Do not attempt to implement any of the settings in + this guide without first testing them in a non-operational environment. The + creators of this guidance assume no responsibility whatsoever for its use by + other parties, and makes no guarantees, expressed or implied, about its + quality, reliability, or any other characteristic. + +front-matter: | + # BASCONSTROL22D-$ Benchmark + The SCAP Security Guide Project
+ {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}} + +rear-matter: | + Red Hat and Red Hat Enterprise Linux are either registered + trademarks or trademarks of Red Hat, Inc. in the United States and other + countries. All other names are registered trademarks or trademarks of their + respective companies. + +version: 0.9 From 17857e483aefe7a970875cfda5bd687945677533 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 14:37:14 +0100 Subject: [PATCH 044/265] update rule for RHEL-09-611195 If remediating into dropin file, the execstart= (resetting the previous execstart definition) must precede the new definition. --- .../require_emergency_target_auth/ansible/shared.yml | 1 + .../require_emergency_target_auth/bash/shared.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml index 0faa359e3937..a8bf7416aa2e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml @@ -11,6 +11,7 @@ dest: /etc/systemd/system/emergency.service.d/10-oscap.conf block: | [Service] + ExecStart= ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency {{% else %}} - name: Require emergency mode password diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh index a9995656d996..43dda82dea2f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh @@ -16,6 +16,7 @@ sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default {{% if 'sle' in product or 'rhel' in product or product == 'fedora' or product == 'slmicro5' or 'ol' in families %}} mkdir -p "${service_dropin_cfg_dir}" echo "[Service]" >> "${service_dropin_file}" +echo "ExecStart=" >> "${service_dropin_file}" echo "ExecStart=-$sulogin" >> "${service_dropin_file}" {{% else %}} if grep "^ExecStart=.*" "$service_file" ; then From 2dc09f65ebf44fd19ca4116101bc842fb97b139a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 16:14:35 +0100 Subject: [PATCH 045/265] implement RHEL-09-654097 --- products/rhel9/controls/stig_rhel9.yml | 10 ++++++++++ tests/data/profile_stability/rhel9/stig.profile | 2 ++ tests/data/profile_stability/rhel9/stig_gui.profile | 2 ++ 3 files changed, 14 insertions(+) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 69d7348f1342..34850b8569d4 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -3501,6 +3501,16 @@ controls: - audit_rules_privileged_commands_crontab status: automated + - id: RHEL-09-654097 + levels: + - medium + title: RHEL 9 must audit any script or executable called by cron as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated + + - id: RHEL-09-654100 levels: - medium diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 3546beec2c9f..123ad55c80c0 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -71,6 +71,7 @@ audit_rules_dac_modification_removexattr audit_rules_dac_modification_setxattr audit_rules_dac_modification_umount audit_rules_dac_modification_umount2 +audit_rules_etc_cron_d audit_rules_execution_chacl audit_rules_execution_chcon audit_rules_execution_semanage @@ -124,6 +125,7 @@ audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd audit_rules_usergroup_modification_passwd audit_rules_usergroup_modification_shadow +audit_rules_var_spool_cron auditd_audispd_configure_sufficiently_large_partition auditd_data_disk_error_action_stig auditd_data_disk_full_action_stig diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index bb3711203015..28292a2751ea 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -71,6 +71,7 @@ audit_rules_dac_modification_removexattr audit_rules_dac_modification_setxattr audit_rules_dac_modification_umount audit_rules_dac_modification_umount2 +audit_rules_etc_cron_d audit_rules_execution_chacl audit_rules_execution_chcon audit_rules_execution_semanage @@ -124,6 +125,7 @@ audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd audit_rules_usergroup_modification_passwd audit_rules_usergroup_modification_shadow +audit_rules_var_spool_cron auditd_audispd_configure_sufficiently_large_partition auditd_data_disk_error_action_stig auditd_data_disk_full_action_stig From 3a023df895f9d501726628bdffea7f40928692a3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 16:28:56 +0100 Subject: [PATCH 046/265] update logind_session_timeout to 10 minutes --- products/rhel9/controls/stig_rhel9.yml | 2 +- tests/data/profile_stability/rhel9/stig.profile | 2 +- tests/data/profile_stability/rhel9/stig_gui.profile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 34850b8569d4..9dfe77d4a3d9 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -2512,7 +2512,7 @@ controls: title: RHEL 9 must terminate idle user sessions. rules: - logind_session_timeout - - var_logind_session_timeout=15_minutes + - var_logind_session_timeout=10_minutes status: automated - id: RHEL-09-431010 diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 123ad55c80c0..a09edad3e17e 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -515,7 +515,7 @@ var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc var_authselect_profile=sssd -var_logind_session_timeout=15_minutes +var_logind_session_timeout=10_minutes var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 28292a2751ea..3e50f112d78d 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -513,7 +513,7 @@ var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc var_authselect_profile=sssd -var_logind_session_timeout=15_minutes +var_logind_session_timeout=10_minutes var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 From ceae41d9d9cfb27e6b48a992b89c74db862db8ab Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 16:55:00 +0100 Subject: [PATCH 047/265] fix test scenario which was missing -i in sed expression --- .../tests/vfat_without_nodev.pass.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh index 837e79fbeee5..7eb91ff88110 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh @@ -5,7 +5,7 @@ # Add nodev option to all records in fstab to ensure that test will # run on environment where everything is set correctly for rule check. cp /etc/fstab /etc/fstab.backup -sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup +sed -i -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab # Remount all partitions. (--all option can't be used because it doesn't # mount e.g. /boot partition From a210aab436fe7de589b8d5d1bb60932325fb8e50 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 13:13:02 +0100 Subject: [PATCH 048/265] rhel8 anssi high kickstart: decrease size of /usr to 4096 --- products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg index 7b57de148d7f..88293d407cc9 100644 --- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg @@ -101,7 +101,7 @@ volgroup VolGroup pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev" # Ensure /opt Located On Separate Partition logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition From 5b3ac8867d69ffdae9994ab74b7b1ef009bb9952 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 13:16:16 +0100 Subject: [PATCH 049/265] rhel9 anssi high kickstart: decrease size of /usr to 4096 and /opt, /srv, /home to 512 --- products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg index 2bd43b2fa6cf..7cb225c2da56 100644 --- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg @@ -101,13 +101,13 @@ volgroup VolGroup pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition From 020e339f542663ae02b4c1030adeba10f7bc0f48 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 12 Feb 2026 09:55:07 +0100 Subject: [PATCH 050/265] add noexec to /home in rhel8 anssi high kickstart file --- products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg index 88293d407cc9..461459e5d2bd 100644 --- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg @@ -107,7 +107,7 @@ logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="no # Ensure /srv Located On Separate Partition logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition From 45c8b1cce573c3623b52df6c81437ba311c8566a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Feb 2026 13:34:10 +0100 Subject: [PATCH 051/265] rhel9 bsi kickstart: decrease partition sizes --- products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg index e696055b9140..47ef01e7fa56 100644 --- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg @@ -97,13 +97,13 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4272 +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow # Ensure /usr Located On Separate Partition # partition_for_usr -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=3192 --fsoptions="nodev" # Ensure /opt Located On Separate Partition # partition_for_opt -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 # Ensure /home Located On Separate Partition # partition_for_home logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" @@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var Located On Separate Partition # partition_for_var -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 # Ensure /var/log Located On Separate Partition # partition_for_var_log logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 From a97e44f768eb44fd39a026985b2a3501cc5faf13 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 12 Feb 2026 06:03:12 -0600 Subject: [PATCH 052/265] Remove from None in ssg/entities/common.py on raise outside of execept block --- ssg/entities/common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssg/entities/common.py b/ssg/entities/common.py index 80b69a108728..9ddbbc7422fe 100644 --- a/ssg/entities/common.py +++ b/ssg/entities/common.py @@ -260,7 +260,7 @@ def parse_yaml_into_processed_dict(cls, yaml_file, env_yaml=None, product_cpes=N msg = ( "Unparsed YAML data in '{yaml_file}': {keys}" .format(yaml_file=yaml_file, keys=list(yaml_data.keys()))) - raise RuntimeError(msg) from None + raise RuntimeError(msg) if not processed_data.get("definition_location", ""): processed_data["definition_location"] = yaml_file From dc427193d589ee87150a7dde389ca2546bc0d225 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 6 Feb 2026 16:42:33 +0100 Subject: [PATCH 053/265] add new rule accounts_user_interactive_home_directory_on_separate_partition add rhel8 cce to it --- components/operating-system.yml | 1 + .../oval/shared.xml | 71 +++++++++++++++++++ .../rule.yml | 48 +++++++++++++ .../tests/home_on_root_partition.fail.sh | 9 +++ .../tests/home_on_separate_partition.pass.sh | 20 ++++++ .../tests/mixed_users_one_on_root.fail.sh | 24 +++++++ .../tests/no_interactive_users.pass.sh | 4 ++ shared/references/cce-redhat-avail.txt | 1 - 8 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh diff --git a/components/operating-system.yml b/components/operating-system.yml index 45d050bf1724..d8a27adbd67f 100644 --- a/components/operating-system.yml +++ b/components/operating-system.yml @@ -6,6 +6,7 @@ rules: - accounts_user_home_paths_only - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists +- accounts_user_interactive_home_directory_on_separate_partition - bios_assign_password - bios_disable_usb_boot - bios_enable_execution_restrictions diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml new file mode 100644 index 000000000000..8e1cd5dabbaf --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml @@ -0,0 +1,71 @@ + + + {{{ oval_metadata("All interactive user home directories must reside on a separate partition from root.", rule_title=rule_title) }}} + + + + + + + + + + + / + + + + + + ^ + + (/|$) + + + + + + + + + + /etc/passwd + ^(?:(?!nobody|nfsnobody)[^:]*):(?:[^:]*:)[1-9]\d{3,}:(?:[^:]*:){2}([^:]+):(?!(?:/usr)?/sbin/nologin$|/bin/false$)[^:]*$ + 1 + + + + + + + + + + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml new file mode 100644 index 000000000000..d50d5b5e1112 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml @@ -0,0 +1,48 @@ +documentation_complete: true + +title: 'All Interactive User Home Directories Must Reside On a Separate Partition' + +description: |- + All interactive user home directories must be located on a file system + partition separate from the root (/) partition. If any interactive + user's home directory resides directly on the root file system, a failure + of that file system or a user filling it up could impact system operation. + +rationale: |- + Ensuring that interactive user home directories are on a separate + partition from the root file system prevents users from filling the root + partition, which could result in system instability or denial of service. + It also allows administrators to apply more restrictive mount options + such as noexec, nosuid, and nodev to the + partition containing user home directories. + +severity: medium + +identifiers: + cce@rhel8: CCE-90711-3 + +references: + srg: SRG-OS-000480-GPOS-00227 + +ocil_clause: 'any interactive user home directory is on the root partition' + +ocil: |- + Verify that all interactive user home directories are on a separate + file system partition with the following commands: + + List interactive users and their home directories: + 
$ awk -F: '($3>={{{ uid_min }}})&&($7 !~ /nologin/){print $1, $6}' /etc/passwd
+ + For each home directory listed, verify it is on a separate partition: + 
$ df <home_directory> | tail -1 | awk '{print $6}'
+ + If the command returns / for any interactive user home directory, + this is a finding. + +fixtext: |- + Migrate interactive user home directories that reside on the root + file system to a separate partition. + +srg_requirement: 'All {{{ full_name }}} interactive user home directories must reside on a file system separate from the root partition.' + +platform: machine diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh new file mode 100644 index 000000000000..86547a7b1706 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_all +# remediation = none + +awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ + | xargs -I{} userdel -r {} + +mkdir -p /root_home +useradd -m -d /root_home/testUser1 testUser1 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh new file mode 100644 index 000000000000..e5758df3b856 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# platform = multi_platform_all + +. $SHARED/partition.sh + +awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ + | xargs -I{} userdel -r {} + +umount /srv || true + +clean_up_partition /srv + +create_partition + +make_fstab_correct_partition_line /srv + +mount_partition /srv + +mkdir -p /srv/home +useradd -m -d /srv/home/testUser1 testUser1 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh new file mode 100644 index 000000000000..f2e6acfe0e92 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# platform = multi_platform_all +# remediation = none + +. $SHARED/partition.sh + +awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ + | xargs -I{} userdel -r {} + +umount /srv || true + +clean_up_partition /srv + +create_partition + +make_fstab_correct_partition_line /srv + +mount_partition /srv + +mkdir -p /srv/home +useradd -m -d /srv/home/testUser1 testUser1 + +mkdir -p /root_home +useradd -m -d /root_home/testUser2 testUser2 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh new file mode 100644 index 000000000000..5f33e91bcd1c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 06999bee9a08..d854c03a3bec 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2342,7 +2342,6 @@ CCE-90705-5 CCE-90706-3 CCE-90707-1 CCE-90710-5 -CCE-90711-3 CCE-90715-4 CCE-90720-4 CCE-90721-2 From 85853d5118a398870b1f1b7a5039fa6a610e8631 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Feb 2026 16:06:25 +0100 Subject: [PATCH 054/265] when checking for interactive users, exclude only the nologin shell --- .../oval/shared.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml index 8e1cd5dabbaf..02efcd031d5f 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml @@ -32,13 +32,13 @@ - + /etc/passwd ^(?:(?!nobody|nfsnobody)[^:]*):(?:[^:]*:)[1-9]\d{3,}:(?:[^:]*:){2}([^:]+):(?!(?:/usr)?/sbin/nologin$|/bin/false$)[^:]*$ + >^(?:(?!nobody|nfsnobody)[^:]*):(?:[^:]*:)[1-9]\d{3,}:(?:[^:]*:){2}([^:]+):(?!(?:/usr)?/sbin/nologin$)[^:]*$ 1 From 663217ebab3252aaa6dcb6e7d9ed8affb38f6546 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Feb 2026 16:17:22 +0100 Subject: [PATCH 055/265] update test scenarios to use macro --- .../tests/home_on_root_partition.fail.sh | 3 +-- .../tests/home_on_separate_partition.pass.sh | 3 +-- .../tests/mixed_users_one_on_root.fail.sh | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh index 86547a7b1706..4191ed7d46f4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh @@ -2,8 +2,7 @@ # platform = multi_platform_all # remediation = none -awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ - | xargs -I{} userdel -r {} +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} mkdir -p /root_home useradd -m -d /root_home/testUser1 testUser1 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh index e5758df3b856..6b6858caa70b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh @@ -3,8 +3,7 @@ . $SHARED/partition.sh -awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ - | xargs -I{} userdel -r {} +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} umount /srv || true diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh index f2e6acfe0e92..94b1ed0b4054 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh @@ -4,8 +4,7 @@ . $SHARED/partition.sh -awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ - | xargs -I{} userdel -r {} +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} umount /srv || true From 519998037d29060973a3add38620c5b6e754e4f0 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 12 Feb 2026 14:17:15 +0000 Subject: [PATCH 056/265] Restrict mtu Signed-off-by: Alan Moore --- tests/ssg_test_suite/test_env.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py index 63bd416c9e33..a44f16fd9d2d 100644 --- a/tests/ssg_test_suite/test_env.py +++ b/tests/ssg_test_suite/test_env.py @@ -533,6 +533,7 @@ def _new_container_from_image(self, image_name, container_name): "--cap-add=cap_sys_admin", "--cap-add=cap_sys_chroot", # "--privileged", + "--network", "slirp4netns:mtu=1500", "--publish", "{}".format(self.internal_ssh_port), "--detach", image_name, "/usr/sbin/sshd", "-p", "{}".format(self.internal_ssh_port), "-D"] try: From e592d279e1dd56df30ed6a6a091d54a2435a12f4 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 12 Feb 2026 14:17:34 +0000 Subject: [PATCH 057/265] Update docker files accrodingly Signed-off-by: Alan Moore --- Dockerfiles/test_suite-ubuntu2204 | 4 +--- Dockerfiles/test_suite-ubuntu2404 | 7 +++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Dockerfiles/test_suite-ubuntu2204 b/Dockerfiles/test_suite-ubuntu2204 index 1aab55c4e4fa..bd312a61a3c3 100644 --- a/Dockerfiles/test_suite-ubuntu2204 +++ b/Dockerfiles/test_suite-ubuntu2204 @@ -26,11 +26,9 @@ RUN true \ RUN true \ && ssh-keygen -A \ && mkdir -p /root/.ssh \ + && mkdir /run/sshd && chmod 0755 /run/sshd \ && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ && chmod og-rw /root/.ssh "$AUTH_KEYS" \ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:22.04" >> /etc/os-release \ && true - -RUN mkdir /run/sshd -CMD ["/usr/sbin/sshd", "-D"] diff --git a/Dockerfiles/test_suite-ubuntu2404 b/Dockerfiles/test_suite-ubuntu2404 index 8b922eaa1828..8186af8740ca 100644 --- a/Dockerfiles/test_suite-ubuntu2404 +++ b/Dockerfiles/test_suite-ubuntu2404 @@ -19,10 +19,9 @@ RUN true \ RUN true \ && ssh-keygen -A \ && mkdir -p /root/.ssh \ + && mkdir /run/sshd && chmod 0755 /run/sshd \ && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ && chmod og-rw /root/.ssh "$AUTH_KEYS" \ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ - && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:24.04" >> /etc/os-release - -RUN mkdir /run/sshd -CMD ["/usr/sbin/sshd", "-D"] + && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:24.04" >> /etc/os-release \ +&& true From 8889ba5de57fe66979290f17272b22c53d17c5f1 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Thu, 12 Feb 2026 16:30:03 +0100 Subject: [PATCH 058/265] Update products/rhel9/controls/stig_rhel9.yml Co-authored-by: Matthew Burket --- products/rhel9/controls/stig_rhel9.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 9dfe77d4a3d9..902c50ec108a 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -2087,7 +2087,7 @@ controls: - id: RHEL-09-271065 levels: - medium - title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. + title: RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity. rules: - dconf_gnome_screensaver_idle_delay - inactivity_timeout_value=10_minutes From ff74d6e5250bab48fb445b49548997f195bb1574 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 12 Feb 2026 16:46:27 +0100 Subject: [PATCH 059/265] logind_idle_timeout: use dropin files in RHEL 10 as well --- .../logind_session_timeout/ansible/shared.yml | 2 +- .../accounts-physical/logind_session_timeout/bash/shared.sh | 2 +- .../accounts-physical/logind_session_timeout/oval/shared.xml | 4 ++-- .../accounts-physical/logind_session_timeout/tests/common.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml index 953b012f9bb6..6bb54d80f23d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml @@ -6,7 +6,7 @@ {{{ ansible_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["rhel9", "sle15", "sle16"] %}} +{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh index bf779b4c5825..72e3aa52ba40 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh @@ -2,7 +2,7 @@ {{{ bash_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["rhel9", "sle15", "sle16"] %}} +{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml index d920c76d80f1..80c8b6a55aa1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["rhel9", "sle15", "sle16"] %}} +{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}} {{% else %}} {{% set logind_conf_file = "/etc/systemd/logind.conf" %}} @@ -6,7 +6,7 @@ - {{% if product in ["rhel9", "sle15", "sle16"] %}} + {{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh index aeb406f144d8..f40b296ec76b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh @@ -3,7 +3,7 @@ # this file prepares unified test environment used by other scenarios # These should be tuned per product to match defaults -{{% if product in ["rhel9", "sle15", "sle16"] %}} +{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" mkdir -p /etc/systemd/logind.conf.d/ {{% else %}} From 9ac6ec7d7bec09f201b25ea76d8829411167649c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 9 Feb 2026 14:23:47 +0100 Subject: [PATCH 060/265] update official STIG manual and SCAP content from v2r5 to v2r6 --- ... => disa-stig-rhel8-v2r6-xccdf-manual.xml} | 704 ++++---- ...ml => disa-stig-rhel8-v2r6-xccdf-scap.xml} | 1603 +++++++++-------- 2 files changed, 1194 insertions(+), 1113 deletions(-) rename shared/references/{disa-stig-rhel8-v2r5-xccdf-manual.xml => disa-stig-rhel8-v2r6-xccdf-manual.xml} (85%) rename shared/references/{disa-stig-rhel8-v2r5-xccdf-scap.xml => disa-stig-rhel8-v2r6-xccdf-scap.xml} (97%) diff --git a/shared/references/disa-stig-rhel8-v2r5-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v2r6-xccdf-manual.xml similarity index 85% rename from shared/references/disa-stig-rhel8-v2r5-xccdf-manual.xml rename to shared/references/disa-stig-rhel8-v2r6-xccdf-manual.xml index 18f982203062..a12c07ca4b8a 100644 --- a/shared/references/disa-stig-rhel8-v2r5-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel8-v2r6-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 01 Oct 20253.5.11.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 05 Jan 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. Note: The life-cycle time spans and dates are subject to adjustment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. @@ -49,34 +49,50 @@ If package updates have not been performed on the system within the timeframe th Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. -If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-010020RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-010020RHEL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000068Configure RHEL 8 to use a FIPS 140-3-compliant systemwide cryptographic policy. -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. +Create a subpolicy for enhancements to the base systemwide crypto-policy by creating the file /etc/crypto-policies/policies/modules/STIG.pmod with the following content: -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000068Configure the operating system to implement DOD-approved encryption by following the steps below: +# Define ciphers and MACs for OpenSSH and libssh +cipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR +mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256 -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. +Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command: -Enable FIPS mode after installation (not strict FIPS-compliant) with the following command: +$ sudo update-crypto-policies --set FIPS:STIG - $ sudo fips-mode-setup --enable +Note: If additional subpolicies are being employed, they must be added to the update-crypto-policies command. -Reboot the system for the changes to take effect.Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. +To make the cryptographic settings effective for already running services and applications, restart the system: -Show the configured systemwide cryptographic policy by running the following command: +$ sudo rebootVerify RHEL 8 is set to use a FIPS 140-3-compliant systemwide cryptographic policy with the following command: $ sudo update-crypto-policies --show -FIPS -If the main policy name is not "FIPS", this is a finding. +FIPS:STIG -If the AD-SUPPORT subpolicy module is included (e.g., "FIPS:AD-SUPPORT"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding. +If the systemwide crypto policy is not set to "FIPS", this is a finding. -If the NO-ENFORCE-EMS subpolicy module is included (e.g., "FIPS:NO-ENFORCE-EMS"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding. +Note: If subpolicies have been configured, they could be listed in a colon-separated list starting with "FIPS" as follows FIPS:<SUBPOLICY-NAME>. This is not a finding. -If any other subpolicy module is included, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. +Note: Subpolicies like AD-SUPPORT must be configured according to the latest guidance from the operating system vendor. + +Verify the current minimum crypto-policy configuration with the following commands: + +$ sudo grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol + +hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 +min_rsa_size = 2048 + +If the "hash" values do not include at least the following FIPS 140-3-compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512", this is a finding. + +If there are algorithms that include "SHA1" or a hash value less than "224" this is a finding. + +If the "min_rsa_size" is not set to a value of at least "2048", this is a finding. + +If these commands do not return any output, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). @@ -370,7 +386,7 @@ SHA_CRYPT_MIN_ROUNDS 100000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -384,7 +400,7 @@ $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010150RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. +If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010150RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -398,7 +414,7 @@ $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010151RHEL 8 operating systems must require authentication upon booting into rescue mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file. +If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010151RHEL 8 operating systems must require authentication upon booting into rescue mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file. ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescueCheck to see if the system requires authentication for rescue mode with the following command: @@ -480,7 +496,7 @@ $ sudo yum list installed policycoreutils policycoreutils.x86_64 2.9-3.el8 @anaconda -If the policycoreutils package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010190A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If the policycoreutils package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010190A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -582,152 +598,82 @@ $ sudo stat -c "%G" /var/log root -If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following commands. - -To manually update the MACs in the systemwide SSH configuration, use the following command: - -$ sudo sed -i -E 's/(-oMACs=)[^ ]*/\1hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256/' "$(readlink -f /etc/crypto-policies/back-ends/opensshserver.config)" - -A reboot is required for the changes to take effect.Verify the RHEL 8 SSH server is configured to use only MACs employing FIPS 140-3 approved algorithms. - -To verify the MACs in the systemwide SSH configuration file, use the following command: - -$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config --oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 - -If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following commands. - -To manually update the ciphers in the systemwide SSH configuration, use the following command: - -$ sudo sed -i -E 's/(-oCiphers=)[^ ]*/\1aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr/' "$(readlink -f /etc/crypto-policies/back-ends/opensshserver.config)" - -A reboot is required for the changes to take effect.Verify the SSH server is configured to use only ciphers employing FIPS 140-3 approved algorithms. - -To verify the ciphers in the systemwide SSH configuration file, use the following command: - -$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config --oCiphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr - -If the ciphers entries in the "opensshserver.config" file have any hashes other than "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr", the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The SSH implementation in RHEL 8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system SSH server to use strong entropy. - -Add or modify the following line in the "/etc/sysconfig/sshd" file. - -SSH_USE_STRONG_RNG=32 - -The SSH service must be restarted for changes to take effect. - -Restart the SSH Daemon with the following command: - -$ sudo systemctl restart sshd.serviceNote: If the operating system is RHEL versions 8.0 or 8.1, this requirement is not applicable. - -Verify the operating system SSH server uses strong entropy with the following command: - -$ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd - -SSH_USE_STRONG_RNG=32 - -If the "SSH_USE_STRONG_RNG" line does not equal "32", is commented out, or is missing, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010293The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. +RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS 140-2-approved algorithms with the following command: +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-3-approved algorithms. -$ sudo fips-mode-setup --enable +Reinstall crypto-policies with the following command: -A reboot is required for the changes to take effect.Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms: +$ sudo dnf -y reinstall crypto-policies -Verify that system-wide crypto policies are in effect: +Set the crypto-policy to FIPS with the following command: -$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf +$ sudo update-crypto-policies --set FIPS -.include /etc/crypto-policies/back-ends/opensslcnf.config +Setting system policy to FIPS -If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding. +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the RHEL 8 SSH server is configured to use only MACs employing FIPS 140-3-approved algorithms. -Verify which system-wide crypto policy is in use: +To verify the MACs in the systemwide SSH configuration file, use the following command: -$ sudo update-crypto-policies --show +$ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config -FIPS +-oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 -If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010294The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. +RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-3-approved algorithms. -For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: -MinProtocol = TLSv1.2 +Reinstall crypto-policies with the following command: -For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: -TLS.MinProtocol = TLSv1.2 -DTLS.MinProtocol = DTLSv1.2 -A reboot is required for the changes to take effect.Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: +$ sudo dnf -y reinstall crypto-policies -For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: +Set the crypto-policy to FIPS with the following command: -$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config +$ sudo update-crypto-policies --set FIPS -MinProtocol = TLSv1.2 +Setting system policy to FIPS -If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding. +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the RHEL 8 SSH server is configured to use only ciphers employing FIPS 140-3-approved algorithms. -For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: +To verify the ciphers in the systemwide SSH configuration file, use the following command: -$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config +$ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config +CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -TLS.MinProtocol = TLSv1.2 -DTLS.MinProtocol = DTLSv1.2 +If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. -If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than DTLSv1.2, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010295The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +The SSH implementation in RHEL 8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system SSH server to use strong entropy. -Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. +Add or modify the following line in the "/etc/sysconfig/sshd" file. -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. +SSH_USE_STRONG_RNG=32 -The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. +The SSH service must be restarted for changes to take effect. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": +Restart the SSH Daemon with the following command: -+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 +$ sudo systemctl restart sshd.serviceNote: If the operating system is RHEL versions 8.0 or 8.1, this requirement is not applicable. -A reboot is required for the changes to take effect.Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions: +Verify the operating system SSH server uses strong entropy with the following command: -$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config +$ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd -+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM +SSH_USE_STRONG_RNG=32 -If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010300RHEL 8 system commands must have mode 755 or less permissive.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If the "SSH_USE_STRONG_RNG" line does not equal "32", is commented out, or is missing, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010300RHEL 8 system commands must have mode 755 or less permissive.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001499Configure the system commands to be protected from unauthorized access. @@ -775,7 +721,7 @@ $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root - $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c "%n %U" {} + -If any output is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010350RHEL 8 library files must be group-owned by root or a system account.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any output is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010350RHEL 8 library files must be group-owned by root.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001499Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command: @@ -998,7 +944,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -1046,7 +992,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl. If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -1552,7 +1498,9 @@ $ sudo mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) -If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010580RHEL 8 must prevent special devices on non-root local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.Verify all non-root local partitions are mounted with the "nodev" option with the following command: +If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010580RHEL 8 must prevent special devices on non-root local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.Note: This control is not applicable to vfat file systems. + +Verify all non-root local partitions are mounted with the "nodev" option with the following command: $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' @@ -1591,98 +1539,71 @@ $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 -If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010630RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Verify that file systems being imported via NFS are mounted with the "noexec" option with the following command: +If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010630RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable. + +Verify file systems being imported via NFS are mounted with the "noexec" option with the following command: $ sudo grep nfs /etc/fstab | grep noexec UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 -If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010640RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.Verify file systems that are being NFS-imported are mounted with the "nodev" option with the following command: +If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010640RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable. + +Verify file systems that are being NFS-imported are mounted with the "nodev" option with the following command: $ sudo grep nfs /etc/fstab | grep nodev UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 -If a file system found in "/etc/fstab" refers to NFS and it does not have the "nodev" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010650RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Verify that file systems being imported via NFS are mounted with the "nosuid" option with the following command: +If a file system found in "/etc/fstab" refers to NFS and it does not have the "nodev" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010650RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable. + +Verify file systems being imported via NFS are mounted with the "nosuid" option with the following command: $ sudo grep nfs /etc/fstab | grep nosuid UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 -If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010660Local RHEL 8 initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Set the mode on files being executed by the local initialization files with the following command: - -$ sudo chmod 0755 <file>Verify that local initialization files do not execute world-writable programs. - -Check the system for world-writable files. - -The following command will discover and print world-writable files. Run it once for each local partition [PART]: - -$ sudo find [PART] -xdev -type f -perm -0002 -print - -For all files listed, check for their presence in the local initialization files with the following commands: - -Note: The example will be for a system that is configured to create user home directories in the "/home" directory. - -$ sudo grep <file> /home/*/.* - -If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010670RHEL 8 must disable kernel dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. +If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010670RHEL 8 must disable kernel dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If kernel core dumps are not required, disable the "kdump" service with the following command: # systemctl disable kdump.service -If kernel core dumps are required, document the need with the ISSO.Verify that kernel core dumps are disabled unless needed with the following command: +If kernel core dumps are required, document the need with the ISSO.Verify RHEL 8 kernel core dumps are disabled unless needed with the following command: $ sudo systemctl status kdump.service -kdump.service - Crash recovery kernel arming -Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled) -Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago -Main PID: 1130 (code=exited, status=0/SUCCESS) +o kdump.service - Crash recovery kernel arming + Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: enabled) + Active: inactive (dead) -If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). +If the "kdump" service is active, ask the system administrator if the use of the service is required and documented with the information system security officer (ISSO). -If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable storing core dumps. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a dropfile in the "/etc/sysctl.d" directory: -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a dropfile if it does not already exist: +$ sudo vi /etc/sysctl.d/99-disable-coredump.conf +Add the following to the file: kernel.core_pattern = |/bin/false -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: +$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: $ sudo sysctl kernel.core_pattern kernel.core_pattern = |/bin/false -If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false - -If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -1706,23 +1627,27 @@ systemd-coredump.socket Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) Active: inactive (dead) -If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to disable core dumps for all users. +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to disable core dumps for all users. -Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: +Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/: + +* hard core 0 -* hard core 0Note: If kernel dumps are disabled in accordance with RHEL-08-010671, this requirement is not applicable. +Remove or comment out any entries for users or groups with a value set to anything other than "0".Note: If kernel dumps are disabled in accordance with RHEL-08-010671, this requirement is not applicable. -Verify the operating system disables core dumps for all users by issuing the following command: +Verify RHEL 8 disables core dumps for all users by issuing the following command: -$ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf /etc/security/limits.d/*.conf +$ grep -r -s core /etc/security/limits.conf /etc/security/limits.d/*.conf -/etc/security/limits.d/core_dumps.conf:* hard core 0 +/etc/security/limits.conf:* hard core 0 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. -If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010674RHEL 8 must disable storing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding. + +If entries exist for users or groups with a value set to anything other than "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010674RHEL 8 must disable storing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to disable storing core dumps for all users. @@ -1791,13 +1716,17 @@ $ sudo grep -irw path= /home/*/.* /home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin -If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010700All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. +If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010700All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all RHEL 8 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. + +Use the following command template to set ownership of public directories to root or a system account: -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]: +$ sudo chown [root or system account] [Public Directory]Verify RHEL 8 world writable directories are owned by root, a system account, or an application account with the following command: -$ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print +$ sudo find / -xdev -type d -perm -0002 -uid +999 -exec stat -c "%U, %u, %A, %n" {} \; 2>/dev/null -If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010710All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. +If there is output that indicates world-writable directories are owned by any account other than root or an approved system account, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010710All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: @@ -1901,25 +1830,24 @@ $ sudo chgrp <group> <file> $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nogroup -If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010800A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/home" directory onto a separate file system.Verify that a separate file system has been created for non-privileged local interactive user home directories. +If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010800A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/home" directory onto a separate file system.Verify a separate file system has been created for nonprivileged local interactive user home directories. -Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command: +Check the home directory assignment for all nonprivileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command: - $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd +$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6,$7}' /etc/passwd +pdosadmin 1000 /home/pdosadmin /bin/bash +systemuser 1001 /home/systemuser /bin/bash +acas 1002 /home/acas /bin/bash - doej 1001 /home/doej - publicj 1002 /home/publicj - smithj 1003 /home/smithj - -The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. +The output of the command will give the directory/partition that contains the home directories for the nonprivileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the nonprivileged interactive users with the following command: Note: The partition of "/home" is used in the example. - $ sudo grep /home /etc/fstab +$ sudo grep /home /etc/fstab - /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0 +/dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0 If a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-08-010820Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. @@ -2405,13 +2333,13 @@ $ sudo grep -R removal-action /etc/dconf/db/* /etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen' -If the "removal-action='lock-screen'" setting is missing or commented out from the dconf database files, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020060RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the "removal-action='lock-screen'" setting is missing or commented out from the dconf database files, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020060RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. +Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure RHEL 8 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: $ sudo touch /etc/dconf/db/local.d/00-screensaver @@ -2423,9 +2351,9 @@ idle-delay=uint32 900 Update the system databases: -$ sudo dconf updateVerify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following commands: +$ sudo dconf updateVerify RHEL 8 initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command: -This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.desktop.session idle-delay @@ -2887,17 +2815,7 @@ $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' If "PermitEmptyPasswords" is set to "yes", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020340RHEL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". - -Add the following line to the top of "/etc/pam.d/postlogin": - -session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred with the following command: - -$ sudo grep pam_lastlog /etc/pam.d/postlogin - -session required pam_lastlog.so showfailed - -If "pam_lastlog.so" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020350RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020350RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: @@ -4778,14 +4696,12 @@ rich rules: Ask the system administrator (SA) for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. -If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040070The RHEL 8 file system automounter must be disabled unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure the operating system to disable the ability to automount devices. +If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040070The RHEL 8 file system automounter must be disabled.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure RHEL 8 to disable the ability to automount devices. Turn off the automount service with the following commands: $ sudo systemctl stop autofs -$ sudo systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the operating system disables the ability to automount devices. +$ sudo systemctl disable autofsVerify RHEL 8 disables the ability to automount devices. Check to see if automounter service is active with the following command: @@ -4793,11 +4709,11 @@ Note: If the autofs service is not installed, this requirement is not applicable $ sudo systemctl status autofs -autofs.service - Automounts filesystems on demand -Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) -Active: inactive (dead) +o autofs.service - Automounts filesystems on demand + Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) + Active: inactive (dead) -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040080RHEL 8 must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. +If the "autofs" status is set to "active", this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040080RHEL 8 must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices. @@ -5241,18 +5157,22 @@ $ sudo yum list installed fapolicyd Installed Packages fapolicyd.x86_64 -If fapolicyd is not installed, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040140RHEL 8 must block unauthorized peripherals before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +If fapolicyd is not installed, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040140RHEL 8 must block unauthorized peripherals before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Configure the operating system to enable the blocking of unauthorized peripherals with the following command: +The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Configure the operating system to enable the blocking of unauthorized peripherals with the following command: This command must be run from a root shell and will create an allow list for any usb devices currently connect to the system. # usbguard generate-policy > /etc/usbguard/rules.conf -Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouseVerify the USBGuard has a policy configured with the following command: +Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse. + +Restart usbguard service after creation or update of rules with the following command: + +$ sudo systemctl restart usbguardVerify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules @@ -5357,19 +5277,24 @@ $ sudo grep -r logout /etc/dconf/db/local.d/* /etc/dconf/db/local.d/00-disable-CAD:logout='' -If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040172The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: +If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040172The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: + +If no drop file exists, create one with the following command: + +$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction + +Edit the file to contain the setting by adding the following text: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. -$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: - -$ sudo grep -i ctrl /etc/systemd/system.conf +$ sudo systemctl daemon-reloadVerify RHEL 8 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: -CtrlAltDelBurstAction=none +$ sudo grep -iR CtrlAltDelBurstAction /etc/systemd/system* +/etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction:CtrlAltDelBurstAction=none -If the "CtrlAltDelBurstAction" is not set to "none", is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040180The debug-shell systemd service must be disabled on RHEL 8.<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to mask the debug-shell systemd service with the following command: +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040180The debug-shell systemd service must be disabled on RHEL 8.<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to mask the debug-shell systemd service with the following command: $ sudo systemctl mask debug-shell.service @@ -5880,45 +5805,31 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/ If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line in a dropfile, in the "/etc/sysctl.d" directory with the following commands: -kernel.yama.ptrace_scope = 1 +Create the dropfile if it doesn't already exist: +$ sudo vi /etc/sysctl.d/99-ptrace-restrict.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: +$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: $ sudo sysctl kernel.yama.ptrace_scope kernel.yama.ptrace_scope = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1 - -If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If "kernel.yama.ptrace_scope" is not set to "1", is missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5996,45 +5907,33 @@ If "user.max_user_namespaces" is not set to "0", is missing or commented out, th If conflicting results are returned, this is a finding. -If the use of namespaces is operationally required and documented with the ISSM, it is not a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory: - -net.ipv4.conf.all.rp_filter = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to use reverse path filtering on IPv4 interfaces by default. -$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: +Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: -$ sudo sysctl net.ipv4.conf.all.rp_filter +Create a configuration file if it does not already exist: -net.ipv4.conf.all.rp_filter = 1 +$ sudo vi /etc/sysctl.d/ipv4_rp_filter.conf -If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. +net.ipv4.conf.default.rp_filter = 1 -Check that the configuration files are present to enable this network parameter. +Load settings from all system configuration files with the following command: -$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on IPv4 interfaces with the following commands: -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 +$ sudo sysctl net.ipv4.conf.default.rp_filter -If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. +net.ipv4.conf.default.rp_filter = 1 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: +If "net.ipv4.conf.default.rp_filter" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. @@ -6186,21 +6085,21 @@ $ sudo yum list installed *ftpd* vsftpd.x86_64 3.0.3-28.el8 appstream -If an FTP server is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040370The gssproxy package must not be installed unless mission essential on RHEL 8.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If an FTP server is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040370The gssproxy package must not be installed unless mission essential on RHEL 8.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000381Document the gssproxy package with the ISSO as an operational requirement or remove it from the system with the following command: -$ sudo yum remove gssproxyVerify the gssproxy package has not been installed on the system with the following commands: +$ sudo yum remove gssproxyNote: If NFS mounts are authorized and in use on the system, this control is not applicable. -$ sudo yum list installed gssproxy +Verify the gssproxy package is not installed with the following command: -gssproxy.x86_64 0.8.0-14.el8 @anaconda +$ dnf list --installed gssproxy -If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. +Error: No matching Packages to list -If NFS mounts are being used, this is not a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040380The iprutils package must not be installed unless mission essential on RHEL 8.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the "gssproxy" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040380The iprutils package must not be installed unless mission essential on RHEL 8.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -6316,7 +6215,7 @@ $ sudo grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true -If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010141RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. +If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010141RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to have a unique name for the grub superusers account. @@ -6336,7 +6235,7 @@ $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010149RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. +If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010149RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to have a unique name for the grub superusers account. @@ -6356,7 +6255,7 @@ $ sudo grep -iw "superusers" /boot/grub2/grub.cfg set superusers="[someuniquestringhere]" export superusers -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010152RHEL 8 operating systems must require authentication upon booting into emergency mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file. +If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010152RHEL 8 operating systems must require authentication upon booting into emergency mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file. ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergencyCheck to see if the system requires authentication for emergency mode with the following command: @@ -6406,25 +6305,7 @@ ClientAliveInterval 600 If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010287The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd: - -# CRYPTO_POLICY= - -A reboot is required for the changes to take effect.Verify that system-wide crypto policies are in effect: - -$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd - -# CRYPTO_POLICY= - -If the "CRYPTO_POLICY " is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -6460,7 +6341,7 @@ Check that a file system has been created for "/var/tmp" with the following comm /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0 -If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable. +If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.Note: For vfat file systems and for systems that use BIOS, this is Not Applicable. Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: @@ -7386,21 +7267,7 @@ All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriat All authorized nonadministrative users must be mapped to the "user_u" role. -If they are not mapped in this way, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-040342RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/crypto-policies/back-ends/opensshserver.config": - --oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 - -A reboot is required for the changes to take effect.Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: - - $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config - - CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' - -If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, or are missing or commented out, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010019RHEL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749CCI-003992Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. +If they are not mapped in this way, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010019RHEL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749CCI-003992Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. Insert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system. @@ -7481,47 +7348,61 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p $ sudo grep -i nullok /etc/pam.d/system-auth -If output is produced, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010296RHEL 8 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organizationally controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8.4 and newer releases incorporate system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH client to use only MACs employing FIPS 140-3 approved algorithms. - -For RHEL 8.4 and newer, update the "/etc/crypto-policies/back-ends/openssh.config" file with the following command: -sudo sed -i -E 's/(-oMACs=)[^ ]*/\1hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256/' "$(readlink -f /etc/crypto-policies/back-ends/openssh.config)" - -A reboot is required for the changes to take effect.Verify the SSH client is configured to use only MACs employing FIPS 140-3 approved algorithms with the following command: - -$ grep -i macs /etc/crypto-policies/back-ends/openssh.config - --oMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 - -If the MACs entries in the "openssh.config" file have any hashes other than "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", they are missing, or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010297RHEL 8 SSH client must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00066</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH client to use only ciphers employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following commands. - -To manually update the ciphers in the systemwide SSH configuration, use the following command: - -$ sudo sed -i -E 's/(-oCiphers=)[^ ]*/\1aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr/' "$(readlink -f /etc/crypto-policies/back-ends/openssh.config)" - -A reboot is required for the changes to take effect.Verify the SSH client is configured to use only ciphers employing FIPS 140-3 approved algorithms. - -To verify the Ciphers in the systemwide SSH configuration file, use the following command: - -$ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config --oCiphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr - -If the ciphers entries in the "openssh.config" file have any hashes other than "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr", or they are missing, or commented out, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-08-010455RHEL 8 must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If output is produced, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010296The RHEL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH client to use only MACs employing FIPS 140-3-approved algorithms. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS + +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the RHEL 8 SSH client is configured to use only MACs employing FIPS 140-3-approved algorithms. + +To verify the MACs in the systemwide SSH configuration file, use the following command: + +$ grep -i MACs /etc/crypto-policies/back-ends/openssh.config + +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + +If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-2562", or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010297The RHEL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file. + +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00066</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH client to use only ciphers employing FIPS 140-3-approved algorithms. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS + +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the RHEL 8 SSH client is configured to use only ciphers employing FIPS 140-3-approved algorithms. + +To verify the ciphers in the systemwide SSH configuration file, use the following command: + +$ grep -i Ciphers /etc/crypto-policies/back-ends/openssh.config + +Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + +If the cipher entries in the "openssh.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-08-010455RHEL 8 must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. @@ -7545,15 +7426,15 @@ This command must be run as root: If conflicting results are returned, this is a finding. -If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-08-030655RHEL 8 must audit any script or executable called by cron as root or by any privileged user.<VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions set to 755 or more restrictive, and have no extended rights that allow a nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000172Configure RHEL 8 to audit the execution of any system call made by cron as root or as any privileged user. +If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-08-030655RHEL 8 must audit any script or executable called by cron as root or by any privileged user.<VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions set to 755 or more restrictive, and have no extended rights that allow a nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000172Configure RHEL 8 to audit the execution of any system call made by cron as root or as any privileged user. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -auditctl -w /etc/cron.d/ -p wa -k cronjobs -auditctl -w /var/spool/cron/ -p wa -k cronjobs +-w /etc/cron.d/ -p wa -k cronjobs +-w /var/spool/cron/ -p wa -k cronjobs To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 8 is configured to audit the execution of any system call made by cron as root or as any privileged user. +$ sudo augenrules --loadVerify RHEL 8 is configured to audit the execution of any system call made by cron as root or as any privileged user. $ sudo auditctl -l | grep /etc/cron.d -w /etc/cron.d -p wa -k cronjobs @@ -7561,4 +7442,83 @@ $ sudo auditctl -l | grep /etc/cron.d $ sudo auditctl -l | grep /var/spool/cron -w /var/spool/cron -p wa -k cronjobs -If either of these commands do not return the expected output, or the lines are commented out, this is a finding. \ No newline at end of file +If either of these commands do not return the expected output, or the lines are commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-020360RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. + +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to exit interactive command shell user sessions after 10 minutes of inactivity. + +Add or edit the following line in "/etc/profile.d/tmout.sh": + +#!/bin/bash + +declare -xr TMOUT=600Verify RHEL 8 is configured to exit interactive command shell user sessions after 10 minutes of inactivity or less with the following command: + +$ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh + +/etc/profile.d/tmout.sh:declare -xr TMOUT=600 + +If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-010280RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.<VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000068Configure Libreswan to use the system cryptographic policy. + +Add the following line to "/etc/ipsec.conf": + +include /etc/crypto-policies/back-ends/libreswan.configNote: If the ipsec service is not installed, this requirement is Not Applicable. + +Verify the IPsec service uses the system crypto policy with the following command: + +$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf + +/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config +/etc/ipsec.conf:include /etc/ipsec.d/*.conf + +If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-010275RHEL 8 must implement DOD-approved encryption in the bind package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002418Configure BIND to use the system crypto policy. + +Add the following line to the "options" section in "/etc/named.conf": + +include "/etc/crypto-policies/back-ends/bind.config";Note: If the "bind" package is not installed, this requirement is Not Applicable. + +Verify BIND uses the system crypto policy with the following command: + +$ sudo grep include /etc/named.conf + +include "/etc/crypto-policies/back-ends/bind.config";' + +If BIND is installed and the BIND config file does not contain the include "/etc/crypto-policies/back-ends/bind.config" directive, or the line is commented out, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>RHEL-08-010270RHEL 8 cryptographic policy must not be overridden.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002450Configure RHEL 8 to correctly implement the systemwide cryptographic policies by reinstalling the crypto-policies package contents. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS + +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify RHEL 8 cryptographic policies are not overridden. + +Verify the configured policy matches the generated policy with the following command: + +$ sudo update-crypto-policies --is-applied + +The configured policy is applied + +If the returned message does not match the above, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>RHEL-08-010015RHEL 8 must have the crypto-policies package installed.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002450Install the crypto-policies package (if the package is not already installed) with the following command: + +$ sudo dnf -y install crypto-policiesVerify the RHEL 8 crypto-policies package is installed with the following command: + +$ sudo dnf list --installed crypto-policies + +Updating Subscription Management repositories. +Installed Packages +crypto-policies.noarch 20230731-1.git3177e06.el8 @rhel-8-for-x86_64-baseos-rpms + +If the crypto-policies package is not installed, this is a finding. \ No newline at end of file diff --git a/shared/references/disa-stig-rhel8-v2r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v2r6-xccdf-scap.xml similarity index 97% rename from shared/references/disa-stig-rhel8-v2r5-xccdf-scap.xml rename to shared/references/disa-stig-rhel8-v2r6-xccdf-scap.xml index c1a92634af36..5121706257da 100644 --- a/shared/references/disa-stig-rhel8-v2r5-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v2r6-xccdf-scap.xml @@ -1,36 +1,36 @@ - - + + - + - + - + - + - - + + - + Red Hat Enterprise Linux 8 - oval:mil.disa.stig.rhel8os:def:1 + oval:mil.disa.stig.rhel8os:def:1 - + - accepted + accepted Red Hat Enterprise Linux 8 STIG SCAP Benchmark This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -40,97 +40,121 @@ DISA STIG.DOD.MIL - Benchmark Date: 01 Oct 2025 - 3.5.1 + Benchmark Date: 05 Jan 2026 + 3.5.2 1.10.0 Linux krb5 workstation 1.17 or higher is not installed - + + + + + Linux with BIND installed + + Linux krb5 server 1.17 or higher is not installed - + + + + + Linux with NFS mounts configured + + Linux IPv6 Enabled - + + + + + Linux with Libreswan installed + + Linux BIOS Boot - + RHEL 8.2 or Higher - + Gnome-shell Package - + + + + + Linux with no NFS mounts configured + + RHEL 8.1 or Lower - + Linux UEFI Boot - + Linux with TFTP installed - + Kernel dumps are enabled - + Linux UEFI system with boot partition file type other than VFAT - + Linux with postfix installed - + Linux with autofs installed - + RHEL 8.7 or Higher - + - 002.005 + 002.006 DISA DISA @@ -161,7 +185,6 @@ - @@ -249,7 +272,6 @@ - @@ -420,6 +442,10 @@ + + + + I - Mission Critical Public @@ -445,7 +471,6 @@ - @@ -533,7 +558,6 @@ - @@ -704,6 +728,10 @@ + + + + I - Mission Critical Sensitive @@ -729,7 +757,6 @@ - @@ -817,7 +844,6 @@ - @@ -988,6 +1014,10 @@ + + + + II - Mission Support Classified @@ -1013,7 +1043,6 @@ - @@ -1101,7 +1130,6 @@ - @@ -1272,6 +1300,10 @@ + + + + II - Mission Support Public @@ -1297,7 +1329,6 @@ - @@ -1385,7 +1416,6 @@ - @@ -1556,6 +1586,10 @@ + + + + II - Mission Support Sensitive @@ -1581,7 +1615,6 @@ - @@ -1669,7 +1702,6 @@ - @@ -1840,6 +1872,10 @@ + + + + III - Administrative Classified @@ -1865,7 +1901,6 @@ - @@ -1953,7 +1988,6 @@ - @@ -2124,6 +2158,10 @@ + + + + III - Administrative Public @@ -2149,7 +2187,6 @@ - @@ -2237,7 +2274,6 @@ - @@ -2408,6 +2444,10 @@ + + + + III - Administrative Sensitive @@ -2433,7 +2473,6 @@ - @@ -2521,7 +2560,6 @@ - @@ -2692,14 +2730,18 @@ + + + + Disable Slow Rules This profile disables rules known to have poor performance in some environments, such as systems with large numbers of user accounts. + - @@ -2722,8 +2764,9 @@ - + + @@ -2732,7 +2775,6 @@ - @@ -2744,30 +2786,27 @@ - + - - - - + @@ -2810,12 +2849,14 @@ + + - + @@ -2832,12 +2873,12 @@ + + - - @@ -2862,9 +2903,11 @@ + + @@ -2872,19 +2915,20 @@ + - + - + + - @@ -2893,6 +2937,7 @@ + @@ -2900,7 +2945,6 @@ - @@ -2932,32 +2976,31 @@ + - - + + - + - - @@ -2991,7 +3034,7 @@ Note: The life-cycle time spans and dates are subject to adjustment.</VulnDis Upgrade to a supported version of RHEL 8. - + @@ -3027,7 +3070,7 @@ The "rsyslog" service must be restarted for the changes to take effect. To resta $ sudo systemctl restart rsyslog.service - + @@ -3058,7 +3101,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M ENCRYPT_METHOD SHA512 - + @@ -3083,7 +3126,7 @@ Passwords need to be protected at all times, and encryption is the standard meth Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - + @@ -3112,14 +3155,14 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ SHA_CRYPT_MIN_ROUNDS 100000 - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3141,14 +3184,14 @@ Enter password: Confirm password: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-08-010150 RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3170,14 +3213,14 @@ Enter password: Confirm password: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-08-010151 RHEL 8 operating systems must require authentication upon booting into rescue mode. <VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3194,7 +3237,7 @@ Confirm password: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - + @@ -3224,7 +3267,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include password sufficient pam_unix.so sha512 - + @@ -3256,7 +3299,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Remove any files with the .keytab extension from the operating system. - + @@ -3287,7 +3330,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-workstation - + @@ -3317,7 +3360,7 @@ SELINUX=enforcing A reboot is required for the changes to take effect. - + @@ -3343,7 +3386,7 @@ Policycoreutils contains the policy core utilities that are required for basic o $ sudo yum install policycoreutils - + @@ -3381,7 +3424,7 @@ For the changes to take effect, the SSH daemon must be restarted: $ sudo systemctl restart sshd.service - + @@ -3407,7 +3450,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0640 /var/log/messages - + @@ -3433,7 +3476,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log/messages - + @@ -3459,7 +3502,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log/messages - + @@ -3485,7 +3528,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0755 /var/log - + @@ -3511,7 +3554,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log - + @@ -3537,7 +3580,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log - + @@ -3572,45 +3615,7 @@ Restart the SSH Daemon with the following command: $ sudo systemctl restart sshd.service - - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-08-010294 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. - <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 8 - DISA - DPMS Target - Red Hat Enterprise Linux 8 - 2921 - - CCI-001453 - Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: - -For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: -MinProtocol = TLSv1.2 - -For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: -TLS.MinProtocol = TLSv1.2 -DTLS.MinProtocol = DTLSv1.2 -A reboot is required for the changes to take effect. - - - + @@ -3638,7 +3643,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod $ sudo chmod 755 [FILE] - + @@ -3666,7 +3671,7 @@ Run the following command, replacing "[FILE]" with any system command file not o $ sudo chown root [FILE] - + @@ -3694,7 +3699,7 @@ Run the following command, replacing "[FILE]" with any system command file not g $ sudo chgrp root [FILE] - + @@ -3720,7 +3725,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} + - + @@ -3746,16 +3751,16 @@ This requirement applies to RHEL 8 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} + - + SRG-OS-000259-GPOS-00100 <GroupDescription></GroupDescription> - + RHEL-08-010350 - RHEL 8 library files must be group-owned by root or a system account. + RHEL 8 library files must be group-owned by root. <VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3772,7 +3777,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} + - + @@ -3801,7 +3806,7 @@ Verifying the authenticity of the software prior to installation validates the i gpgcheck=1 - + @@ -3832,7 +3837,7 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: localpkg_gpgcheck=True - + @@ -3881,7 +3886,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3933,7 +3938,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3985,14 +3990,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + RHEL-08-010375 RHEL 8 must restrict access to the kernel message buffer. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -4037,14 +4042,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + RHEL-08-010376 RHEL 8 must prevent kernel profiling by unprivileged users. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -4089,7 +4094,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -4116,7 +4121,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + @@ -4143,7 +4148,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + @@ -4176,7 +4181,7 @@ This requirement only applies to components where this is specific to the functi $ sudo yum install openssl-pkcs11 - + @@ -4224,7 +4229,7 @@ Issue the following command to make the changes take effect: $ sudo sysctl --system - + @@ -4250,7 +4255,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con clean_requirements_on_remove=True - + @@ -4280,7 +4285,7 @@ SELINUXTYPE=targeted A reboot is required for the changes to take effect. - + @@ -4304,7 +4309,7 @@ A reboot is required for the changes to take effect. $ sudo rm /etc/ssh/shosts.equiv - + @@ -4328,7 +4333,7 @@ $ sudo rm /etc/ssh/shosts.equiv $ sudo rm /[path]/[to]/[file]/.shosts - + @@ -4356,7 +4361,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4384,7 +4389,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4412,7 +4417,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4421,7 +4426,7 @@ $ sudo systemctl restart sshd.service <GroupDescription></GroupDescription> RHEL-08-010520 - The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. + The RHEL 8 SSH daemon must not allow authentication using known host's authentication. <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 @@ -4431,7 +4436,7 @@ $ sudo systemctl restart sshd.service 2921 CCI-000366 - Configure the SSH daemon to not allow authentication using known host’s authentication. + Configure the SSH daemon to not allow authentication using known host's authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": @@ -4442,7 +4447,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4472,7 +4477,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4494,7 +4499,7 @@ $ sudo systemctl restart sshd.service Migrate the "/var" path onto a separate file system. - + @@ -4516,7 +4521,7 @@ $ sudo systemctl restart sshd.service Migrate the "/var/log" path onto a separate file system. - + @@ -4538,7 +4543,7 @@ $ sudo systemctl restart sshd.service Migrate the system audit data path onto a separate file system. - + @@ -4560,7 +4565,7 @@ $ sudo systemctl restart sshd.service Migrate the "/tmp" directory onto a separate file system/partition. - + @@ -4591,7 +4596,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4619,7 +4624,7 @@ $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service - + @@ -4641,7 +4646,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users. - + @@ -4664,17 +4669,17 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010580 RHEL 8 must prevent special devices on non-root local partitions. - <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA @@ -4686,14 +4691,14 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010630 RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4704,18 +4709,19 @@ $ sudo systemctl enable rsyslog.service Red Hat Enterprise Linux 8 2921 + CCI-000366 Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010640 RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4726,18 +4732,19 @@ $ sudo systemctl enable rsyslog.service Red Hat Enterprise Linux 8 2921 + CCI-000366 Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010650 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4748,23 +4755,24 @@ $ sudo systemctl enable rsyslog.service Red Hat Enterprise Linux 8 2921 + CCI-000366 Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010671 RHEL 8 must disable the kernel.core_pattern. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf @@ -4779,26 +4787,20 @@ The sysctl --system command will load settings from all system configuration fil 2921 CCI-000366 - Configure RHEL 8 to disable storing core dumps. + Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a dropfile in the "/etc/sysctl.d" directory: -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a dropfile if it does not already exist: +$ sudo vi /etc/sysctl.d/99-disable-coredump.conf +Add the following to the file: kernel.core_pattern = |/bin/false -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system - + - + @@ -4835,17 +4837,17 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010673 RHEL 8 must disable core dumps for all users. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4857,14 +4859,16 @@ A core dump includes a memory image taken at the time the operating system termi CCI-000366 - Configure the operating system to disable core dumps for all users. + Configure the operating system to disable core dumps for all users. -Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: +Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/: -* hard core 0 - +* hard core 0 + +Remove or comment out any entries for users or groups with a value set to anything other than "0". + - + @@ -4893,7 +4897,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: Storage=none - + @@ -4922,7 +4926,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0 - + @@ -4950,7 +4954,7 @@ If manually configuring DNS, edit the "/etc/resolv.conf" file to uncomment or ad $ sudo echo -n > /etc/resolv.conf - + @@ -4972,7 +4976,7 @@ $ sudo echo -n > /etc/resolv.conf Assign home directories to all local interactive users on RHEL 8 that currently do not have a home directory assigned. - + @@ -4991,14 +4995,14 @@ $ sudo echo -n > /etc/resolv.conf 2921 CCI-000366 - Change the mode of interactive user’s home directories to "0750". To change the mode of a local interactive user’s home directory, use the following command: + Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". $ sudo chmod 0750 /home/smithj - + @@ -5022,7 +5026,7 @@ $ sudo chmod 0750 /home/smithj CREATE_HOME yes - + @@ -5048,14 +5052,14 @@ Note: The example will be for the smithj user, who has a home directory of "/hom $ sudo chmod 0740 /home/smithj/.<INIT_FILE> - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010800 A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5070,7 +5074,7 @@ Note: The example will be for the smithj user, who has a home directory of "/hom Migrate the "/home" directory onto a separate file system. - + @@ -5098,7 +5102,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se AutomaticLoginEnable=false - + @@ -5128,7 +5132,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -5167,7 +5171,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5200,7 +5204,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: deny = 3 - + @@ -5239,7 +5243,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5272,7 +5276,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900 - + @@ -5311,7 +5315,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5343,7 +5347,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0 - + @@ -5382,7 +5386,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5415,7 +5419,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: silent - + @@ -5456,7 +5460,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5489,7 +5493,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: audit - + @@ -5530,7 +5534,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -5563,7 +5567,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root - + @@ -5591,7 +5595,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard maxlogins 10 - + @@ -5632,7 +5636,7 @@ Update the system databases: $ sudo dconf update - + @@ -5677,7 +5681,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -5707,7 +5711,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin password requisite pam_pwquality.so - + @@ -5740,7 +5744,7 @@ ucredit = -1 Remove any configurations that conflict with the above value. - + @@ -5773,7 +5777,7 @@ lcredit = -1 Remove any configurations that conflict with the above value. - + @@ -5806,7 +5810,7 @@ dcredit = -1 Remove any configurations that conflict with the above value. - + @@ -5839,7 +5843,7 @@ maxclassrepeat = 4 Remove any configurations that conflict with the above value. - + @@ -5872,7 +5876,7 @@ maxrepeat = 3 Remove any configurations that conflict with the above value. - + @@ -5905,7 +5909,7 @@ minclass = 4 Remove any configurations that conflict with the above value. - + @@ -5938,7 +5942,7 @@ difok = 8 Remove any configurations that conflict with the above value. - + @@ -5963,7 +5967,7 @@ Remove any configurations that conflict with the above value. $ sudo chage -m 1 [user] - + @@ -5990,7 +5994,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1 - + @@ -6017,7 +6021,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60 - + @@ -6042,7 +6046,7 @@ PASS_MAX_DAYS 60 $ sudo chage -M 60 [user] - + @@ -6079,7 +6083,7 @@ minlen = 15 Remove any configurations that conflict with the above value. - + @@ -6110,7 +6114,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15 - + @@ -6140,7 +6144,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID. - + @@ -6171,7 +6175,7 @@ $ sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - + @@ -6204,7 +6208,7 @@ ocredit = -1 Remove any configurations that conflict with the above value. - + @@ -6232,7 +6236,7 @@ Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[ offline_credentials_expiration = 1 - + @@ -6260,7 +6264,7 @@ dictcheck=1 Remove any configurations that conflict with the above value. - + @@ -6288,7 +6292,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr FAIL_DELAY 4 - + @@ -6316,33 +6320,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-08-020340 - RHEL 8 must display the date and time of the last successful account logon upon logon. - <VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 8 - DISA - DPMS Target - Red Hat Enterprise Linux 8 - 2921 - - CCI-000052 - Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". - -Add the following line to the top of "/etc/pam.d/postlogin": - -session required pam_lastlog.so showfailed - - - + @@ -6370,7 +6348,7 @@ PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect. - + @@ -6396,7 +6374,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 UMASK 077 - + @@ -6430,7 +6408,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules The audit daemon must be restarted for the changes to take effect. - + @@ -6460,7 +6438,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator action_mail_acct = root - + @@ -6490,7 +6468,7 @@ Add/update the following line in "/etc/aliases": postmaster: root - + @@ -6522,7 +6500,7 @@ disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - + @@ -6556,7 +6534,7 @@ disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - + @@ -6584,7 +6562,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes - + @@ -6616,7 +6594,7 @@ name_format = hostname The audit daemon must be restarted for changes to take effect. - + @@ -6646,7 +6624,7 @@ log_format = ENRICHED The audit daemon must be restarted for changes to take effect. - + @@ -6674,7 +6652,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO $ sudo chmod 0600 /var/log/audit/audit.log - + @@ -6704,7 +6682,7 @@ $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - + @@ -6732,7 +6710,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO log_group = root - + @@ -6762,7 +6740,7 @@ $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -6792,7 +6770,7 @@ $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -6822,7 +6800,7 @@ $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - + @@ -6854,7 +6832,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - + @@ -6884,7 +6862,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO --loginuid-immutable - + @@ -6916,7 +6894,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6948,7 +6926,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6980,7 +6958,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -7012,7 +6990,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -7044,7 +7022,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -7076,7 +7054,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -7108,7 +7086,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -7140,7 +7118,7 @@ Install the audit service (if the audit service is not already installed) with t $ sudo yum install audit - + @@ -7172,7 +7150,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7217,7 +7195,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7249,7 +7227,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7281,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7313,7 +7291,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7345,7 +7323,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7377,7 +7355,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7409,7 +7387,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7442,7 +7420,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7474,7 +7452,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7506,7 +7484,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7538,7 +7516,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7570,7 +7548,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7602,7 +7580,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7634,7 +7612,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7666,7 +7644,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7698,7 +7676,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7730,7 +7708,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7762,7 +7740,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7794,7 +7772,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7826,7 +7804,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7861,7 +7839,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7901,7 +7879,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7933,7 +7911,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7966,7 +7944,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7998,7 +7976,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8030,7 +8008,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8073,7 +8051,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8112,7 +8090,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8150,7 +8128,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8182,7 +8160,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8214,7 +8192,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8246,7 +8224,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8288,7 +8266,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8330,7 +8308,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -8356,7 +8334,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf - + @@ -8386,7 +8364,7 @@ $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - + @@ -8418,7 +8396,7 @@ $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root". - + @@ -8450,7 +8428,7 @@ $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root". - + @@ -8485,7 +8463,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog - + @@ -8520,7 +8498,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog-gnutls - + @@ -8552,7 +8530,7 @@ overflow_action = syslog The audit daemon must be restarted for changes to take effect. - + @@ -8588,7 +8566,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion $ActionSendStreamDriverAuthMode x509/name - + @@ -8614,7 +8592,7 @@ space_left = 25% Note: Option names and values in the auditd.conf file are case insensitive. - + @@ -8644,7 +8622,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc port 0 - + @@ -8674,7 +8652,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc cmdport 0 - + @@ -8708,7 +8686,7 @@ If a privileged user were to log on using this service, the privileged user pass $ sudo yum remove telnet-server - + @@ -8738,7 +8716,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove abrt* - + @@ -8768,7 +8746,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove sendmail - + @@ -8801,7 +8779,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -8834,7 +8812,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -8867,7 +8845,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -8900,7 +8878,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -8933,7 +8911,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -8964,16 +8942,16 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000114-GPOS-00059 <GroupDescription></GroupDescription> - + RHEL-08-040070 - The RHEL 8 file system automounter must be disabled unless required. + The RHEL 8 file system automounter must be disabled. <VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 @@ -8984,17 +8962,15 @@ Reboot the system for the settings to take effect. CCI-000778 - Configure the operating system to disable the ability to automount devices. + Configure RHEL 8 to disable the ability to automount devices. Turn off the automount service with the following commands: $ sudo systemctl stop autofs -$ sudo systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO. - +$ sudo systemctl disable autofs + - + @@ -9025,7 +9001,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + @@ -9055,7 +9031,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if $ sudo yum install firewalld.noarch - + @@ -9095,7 +9071,7 @@ Add or update the line: Reboot the system for the settings to take effect. - + @@ -9125,7 +9101,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9153,7 +9129,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9183,7 +9159,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9213,7 +9189,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9241,7 +9217,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9271,7 +9247,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9301,7 +9277,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9331,7 +9307,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9361,7 +9337,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9391,7 +9367,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9421,7 +9397,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9451,7 +9427,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9481,7 +9457,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9511,7 +9487,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9541,7 +9517,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -9575,7 +9551,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPO $ sudo yum install fapolicyd.x86_64 - + @@ -9605,7 +9581,7 @@ FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces. - + @@ -9635,7 +9611,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo systemctl enable sshd.service - + @@ -9671,7 +9647,7 @@ Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - + @@ -9703,7 +9679,7 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + @@ -9737,14 +9713,14 @@ Then update the dconf settings: $ sudo dconf update - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040172 The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9756,16 +9732,22 @@ $ sudo dconf update 2921 CCI-000366 - Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + Configure RHEL 8 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: + +If no drop file exists, create one with the following command: + +$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction + +Edit the file to contain the setting by adding the following text: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + - + @@ -9795,7 +9777,7 @@ Reload the daemon to take effect. $ sudo systemctl daemon-reload - + @@ -9819,7 +9801,7 @@ $ sudo systemctl daemon-reload $ sudo yum remove tftp-server - + @@ -9843,7 +9825,7 @@ $ sudo yum remove tftp-server If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + @@ -9890,7 +9872,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -9938,7 +9920,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -9985,7 +9967,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10032,7 +10014,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10079,7 +10061,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10126,7 +10108,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10175,7 +10157,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10224,7 +10206,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10272,7 +10254,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10319,7 +10301,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -10363,19 +10345,19 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040282 RHEL 8 must restrict usage of ptrace to descendant processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf @@ -10390,24 +10372,20 @@ The sysctl --system command will load settings from all system configuration fil 2921 CCI-000366 - Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: + Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line in a dropfile, in the "/etc/sysctl.d" directory with the following commands: -kernel.yama.ptrace_scope = 1 +Create the dropfile if it doesn't already exist: +$ sudo vi /etc/sysctl.d/99-ptrace-restrict.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system - + - + @@ -10451,7 +10429,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -10495,19 +10473,19 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040285 RHEL 8 must use reverse path filtering on all IPv4 interfaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf @@ -10522,24 +10500,22 @@ The sysctl --system command will load settings from all system configuration fil 2921 CCI-000366 - Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + Configure RHEL 8 to use reverse path filtering on IPv4 interfaces by default. -net.ipv4.conf.all.rp_filter = 1 +Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Create a configuration file if it does not already exist: -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +$ sudo vi /etc/sysctl.d/ipv4_rp_filter.conf + +net.ipv4.conf.default.rp_filter = 1 + +Load settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -10564,7 +10540,7 @@ $ sudo sysctl --system $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - + @@ -10592,7 +10568,7 @@ $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-ut A reboot is required for the changes to take effect. - + @@ -10620,7 +10596,7 @@ Set the promiscuous mode of an interface to off with the following command: $ sudo ip link set dev <devicename> multicast off promisc off - + @@ -10634,7 +10610,7 @@ $ sudo ip link set dev <devicename> multicast off promisc off +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA @@ -10652,7 +10628,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd - + @@ -10678,7 +10654,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us X11UseLocalhost yes - + @@ -10710,7 +10686,7 @@ $ sudo systemctl daemon-reload $ sudo systemctl restart tftp.service - + @@ -10734,14 +10710,14 @@ $ sudo systemctl restart tftp.service $ sudo yum remove vsftpd - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040370 The gssproxy package must not be installed unless mission essential on RHEL 8. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -10756,13 +10732,14 @@ The gssproxy package is a proxy for GSS API credential handling and could expose Red Hat Enterprise Linux 8 2921 + CCI-000381 Document the gssproxy package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove gssproxy - + @@ -10790,7 +10767,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI $ sudo yum remove iprutils - + @@ -10818,7 +10795,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. $ sudo yum remove tuned - + @@ -10849,7 +10826,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-server - + @@ -10873,7 +10850,7 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + @@ -10903,7 +10880,7 @@ Remove any configurations that conflict with the above from the following locati /etc/sudoers.d/ - + @@ -10938,7 +10915,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files. - + @@ -10981,14 +10958,14 @@ Run the following command to update the database: $ sudo dconf update - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-08-010152 RHEL 8 operating systems must require authentication upon booting into emergency mode. <VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -11005,7 +10982,7 @@ $ sudo dconf update ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - + @@ -11035,7 +11012,7 @@ Edit/modify the following line in the "/etc/pam.d/system-auth" file to include t password sufficient pam_unix.so sha512 - + @@ -11073,7 +11050,7 @@ For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service - + @@ -11099,7 +11076,7 @@ The rngd service feeds random data from hardware device to kernel random device. $ sudo yum install rng-tools - + @@ -11129,7 +11106,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -11151,14 +11128,14 @@ $ sudo systemctl restart sshd.service Migrate the "/var/tmp" path onto a separate file system. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010572 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -11174,7 +11151,7 @@ $ sudo systemctl restart sshd.service Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory. - + @@ -11208,7 +11185,7 @@ Update the system databases: $ sudo dconf update - + @@ -11253,7 +11230,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -11277,7 +11254,7 @@ $ sudo dconf update Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + @@ -11309,7 +11286,7 @@ $ sudo systemctl enable auditd.service $ sudo systemctl start auditd.service - + @@ -11335,7 +11312,7 @@ space_left_action = email Note: Option names and values in the auditd.conf file are case insensitive. - + @@ -11364,7 +11341,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if $ sudo systemctl enable firewalld - + @@ -11398,7 +11375,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPO $ sudo systemctl enable --now fapolicyd - + @@ -11426,7 +11403,7 @@ The System Administrator (SA) must work with the site Information System Securit $ sudo yum install usbguard.x86_64 - + @@ -11460,7 +11437,7 @@ $ sudo systemctl start usbguard.service Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse - + @@ -11490,7 +11467,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo yum install openssh-server.x86_64 - + @@ -11536,7 +11513,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -11582,7 +11559,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -11628,7 +11605,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -11674,7 +11651,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -11720,7 +11697,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -11747,7 +11724,7 @@ Lock an account: $ sudo passwd -l [username] - + @@ -11773,7 +11750,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a $ sudo chmod 755 [DIRECTORY] - + @@ -11801,7 +11778,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no $ sudo chown root [DIRECTORY] - + @@ -11829,7 +11806,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no $ sudo chgrp root [DIRECTORY] - + @@ -11861,7 +11838,7 @@ $ sudo vi /etc/pam.d/sudo Remove any occurrences of "pam_succeed_if" in the file. - + @@ -11891,7 +11868,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line password requisite pam_pwquality.so - + @@ -11919,7 +11896,7 @@ $ sudo systemctl set-default multi-user.target A reboot is required for the changes to take effect. - + @@ -11948,18 +11925,134 @@ The "logind" service must be restarted for the changes to take effect. To restar $ sudo systemctl restart systemd-logind - + + + + + + SRG-OS-000163-GPOS-00072 + <GroupDescription></GroupDescription> + + RHEL-08-020360 + RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. + <VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. + +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA + DPMS Target + Red Hat Enterprise Linux 8 + 2921 + + CCI-001133 + Configure RHEL 8 to exit interactive command shell user sessions after 10 minutes of inactivity. + +Add or edit the following line in "/etc/profile.d/tmout.sh": + +#!/bin/bash + +declare -xr TMOUT=600 + + + + + + + + SRG-OS-000033-GPOS-00014 + <GroupDescription></GroupDescription> + + RHEL-08-010280 + RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms. + <VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA + DPMS Target + Red Hat Enterprise Linux 8 + 2921 + + + CCI-000068 + Configure Libreswan to use the system cryptographic policy. + +Add the following line to "/etc/ipsec.conf": + +include /etc/crypto-policies/back-ends/libreswan.config + + + + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + RHEL-08-010275 + RHEL 8 must implement DOD-approved encryption in the bind package. + <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA + DPMS Target + Red Hat Enterprise Linux 8 + 2921 + + + CCI-002418 + Configure BIND to use the system crypto policy. + +Add the following line to the "options" section in "/etc/named.conf": + +include "/etc/crypto-policies/back-ends/bind.config"; + + + + + + + + SRG-OS-000396-GPOS-00176 + <GroupDescription></GroupDescription> + + RHEL-08-010015 + RHEL 8 must have the crypto-policies package installed. + <VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA + DPMS Target + Red Hat Enterprise Linux 8 + 2921 + + CCI-002450 + Install the crypto-policies package (if the package is not already installed) with the following command: + +$ sudo dnf -y install crypto-policies + + + - + - Security Content Tool 1.6.0 + Security Content Tool 1.7.0 5.11 - 2025-09-25T11:54:30 + 2026-01-05T02:27:46 @@ -12172,23 +12265,6 @@ $ sudo systemctl restart systemd-logind - - - The operating system operating system must implement DoD-approved TLS encryption in the OpenSSL package. - - - - - - - - - - - - - - The operating system system commands must have mode 755 or less permissive. @@ -12396,9 +12472,9 @@ $ sudo systemctl restart systemd-logind - + - The operating system SSH daemon must not allow authentication using known host’s authentication. + The operating system SSH daemon must not allow authentication using known host's authentication. @@ -12512,14 +12588,13 @@ $ sudo systemctl restart systemd-logind - + The operating system must disable the kernel.core_pattern. - @@ -12929,16 +13004,6 @@ $ sudo systemctl restart systemd-logind - - - The operating system must display the date and time of the last successful account logon upon logon. - - - - - - - The operating system must display the date and time of the last successful account logon upon an SSH logon. @@ -14088,14 +14153,13 @@ $ sudo systemctl restart systemd-logind - + - The operating system must restrict usage of ptrace to descendant processes. + The operating system must restrict usage of ptrace to descendant processes. - + - @@ -14118,16 +14182,6 @@ $ sudo systemctl restart systemd-logind - - - The operating system must use reverse path filtering on all IPv4 interfaces. - - - - - - - The operating system must be configured to prevent unrestricted mail relaying. @@ -14182,16 +14236,6 @@ $ sudo systemctl restart systemd-logind - - - The gssproxy package must not be installed unless mission essential on the operating system. - - - - - - - The iprutils package must not be installed unless mission essential on the operating system. @@ -14633,6 +14677,15 @@ $ sudo systemctl restart systemd-logind + + + The gssproxy package must not be installed unless mission essential on the operating system. + + + + + + The operating system must mount /tmp with the noexec option. @@ -14725,6 +14778,15 @@ $ sudo systemctl restart systemd-logind + + + The operating system must automatically exit interactive command shell user sessions after 15 minutes of inactivity. + + + + + + The operating system must require users to reauthenticate for privilege escalation. @@ -14786,6 +14848,37 @@ $ sudo systemctl restart systemd-logind + + + The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms. + + + + + + + + + + + + + The operating system must have the crypto-policies package installed. + + + + + + + + + The operating system must implement DOD-approved encryption in the bind package. + + + + + + The operating system library directories must have mode 0755 or less permissive. @@ -14808,6 +14901,15 @@ $ sudo systemctl restart systemd-logind + + + The operating system must use reverse path filtering on all IPv4 interfaces. + + + + + + The autofs package is installed. @@ -14844,6 +14946,24 @@ $ sudo systemctl restart systemd-logind + + + The libreswan package is installed. + + + + + + + + + The system has BIND installed. + + + + + + The system is RHEL 8.1 or lower @@ -15304,26 +15424,6 @@ The SSH implementation in RHEL8 uses the OPENSSL library, which does not use hig - - - RHEL-08-010294 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. - - Red Hat Enterprise Linux 8 - - Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065 - - - - - RHEL-08-010300 - RHEL 8 system commands must have mode 755 or less permissive. @@ -15726,9 +15826,9 @@ This requirement applies to operating systems performing security function verif - + - RHEL-08-010520 - The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. + RHEL-08-010520 - The RHEL 8 SSH daemon must not allow authentication using known host's authentication. Red Hat Enterprise Linux 8 @@ -16654,18 +16754,6 @@ Configuration settings are the set of parameters that can be changed in hardware - - - RHEL-08-020340 - RHEL 8 must display the date and time of the last successful account logon upon logon. - - Red Hat Enterprise Linux 8 - - Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. - - - - - RHEL-08-020350 - RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. @@ -18821,9 +18909,9 @@ The sysctl --system command will load settings from all system configuration fil - + - RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. + RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. Red Hat Enterprise Linux 8 @@ -18881,7 +18969,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. @@ -18898,7 +18986,7 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - + @@ -18939,7 +19027,7 @@ If the system is being used to perform a network troubleshooting function, the u - + RHEL-08-040340 - RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. @@ -18949,7 +19037,7 @@ If the system is being used to perform a network troubleshooting function, the u X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs. @@ -18991,7 +19079,7 @@ If X11 services are not required for the system's intended function, they should - + RHEL-08-040370 - The gssproxy package must not be installed unless mission essential on RHEL 8. @@ -19004,7 +19092,7 @@ Operating systems are capable of providing a wide variety of functions and servi The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. - + @@ -19587,6 +19675,64 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + RHEL-08-020360 - RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. + + Red Hat Enterprise Linux 8 + + Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. + + Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010 + + + + + + + + RHEL-08-010280 - RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms. + + Red Hat Enterprise Linux 8 + + Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented. + + + + + + + + RHEL-08-010275 - RHEL 8 must implement DOD-approved encryption in the bind package. + + Red Hat Enterprise Linux 8 + + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + + Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 + + + + + + + + RHEL-08-010015 - RHEL 8 must have the crypto-policies package installed. + + Red Hat Enterprise Linux 8 + + Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + + Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 + + + + + @@ -19683,18 +19829,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - - - - - - - - - @@ -19776,7 +19910,7 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - + @@ -19788,10 +19922,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - @@ -19994,12 +20124,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - - - @@ -20509,10 +20633,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - @@ -20522,11 +20642,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - - @@ -20778,6 +20893,10 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + + @@ -20806,6 +20925,22 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + + + + + + + + + + + + + + @@ -20860,10 +20995,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - @@ -20887,7 +21018,7 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - + @@ -21067,6 +21198,15 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + + + + + + + @@ -21297,11 +21437,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - - - - - @@ -21373,6 +21508,10 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + + @@ -21596,21 +21735,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^[ \t]*SSH_USE_STRONG_RNG[ \t]*=[ \t]*32[ \t]*$ 1 - - /etc/crypto-policies/back-ends/opensslcnf.config - ^\s*MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$ - 1 - - - /etc/crypto-policies/back-ends/opensslcnf.config - ^\s*TLS\.MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$ - 1 - - - /etc/crypto-policies/back-ends/opensslcnf.config - ^\s*DTLS\.MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$ - 1 - /etc/yum.repos.d \.repo$ @@ -21823,9 +21947,9 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ 1 - + /etc/fstab - ^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ + ^\s*/dev\S*\s+/\S+\s+(?!vfat\s+)\S+\s+(\S+)\s+\S+\s+\S+\s*$ 1 @@ -21838,23 +21962,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 - - /etc/sysctl.conf - ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23031100 - oval:mil.disa.stig.ind:obj:23031101 - - oval:mil.disa.stig.ind:obj:23031302 @@ -22323,16 +22430,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^(?i)\s*PermitEmptyPasswords\s+(\w+)$ 1 - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*showfailed\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*silent\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - /etc/ssh/sshd_config ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$ @@ -23225,23 +23322,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ 1 - - /etc/sysctl.conf - ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ - 1 - - - - \.conf$ - (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23054601 - oval:mil.disa.stig.ind:obj:23054602 - - \.conf$ @@ -23276,23 +23356,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s oval:mil.disa.stig.ind:obj:23054802 - - - oval:mil.disa.stig.ind:obj:23054901 - oval:mil.disa.stig.ind:obj:23054902 - - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ - 1 - /etc/postfix/main.cf ^smtpd_client_restrictions[ \t]*=[ \t]*permit_mynetworks[, \t]+reject[ \t]*$ @@ -23781,6 +23844,24 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s oval:mil.disa.stig.defs:var:25804500 + + + oval:mil.disa.stig.ind:obj:25806801 + oval:mil.disa.stig.ind:obj:25806802 + + + + /etc/profile + ^[^#]*\s*TMOUT=(\d+)\s*$ + 1 + + + + /etc/profile.d + ^.+\.sh$ + ^[^#]*\s*TMOUT=(\d+)\s*$ + 1 + /etc/sudoers @@ -23831,6 +23912,22 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$ 1 + + /etc/ipsec.conf + ^\s*include\s+(.*)\s*$ + 1 + + + /etc/ipsec.d + ^.*\.conf$ + ^\s*include\s+(.*)\s*$ + 1 + + + /etc/named.conf + ^\s*include\s+"(.*)"\s*;\s*$ + 1 + oval:mil.disa.stig.ind:obj:27172001 @@ -23873,9 +23970,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s policycoreutils - - crypto-policies - openssl-pkcs11 @@ -23894,8 +23988,9 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s /boot - + ^/\S+$ + oval:mil.disa.stig.linux:ste:23030103 oval:mil.disa.stig.linux:ste:23030102 @@ -24040,6 +24135,15 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s auditd.service SubState + + crypto-policies + + + bind + + + libreswan + /sys/firmware/efi @@ -24110,17 +24214,17 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s oval:mil.disa.stig.unix:ste:23025800 - - + + - \.so(\.\d+)*$ + \.so(\S+)*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:20000005 - + - \.so(\.\d+)*$ + (\.so\S*)$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:20000006 @@ -24337,38 +24441,38 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s .* oval:mil.disa.stig.unix:ste:25804500 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048700 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048701 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048702 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048703 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048704 @@ -24431,6 +24535,9 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s 0 + + 600 + (?i)(?:^|\n)[^#]*\btype\s*=\s*"omfwd" @@ -24458,12 +24565,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s enforcing - - TLSv1\.[2|3] - - - DTLSv1\.[2|3] - \n\s*gpgcheck\s*=\s*(True|1|yes)\s*(\n|$) @@ -24482,9 +24583,6 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s ^.*noexec.*$ - - |/bin/false - 0 @@ -24665,6 +24763,15 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s (?i)(?:^|\n)[^#]*\bStreamDriver\.?AuthMode\b + + /etc/crypto-policies/back-ends/libreswan.config + + + /etc/ipsec.d/*.conf + + + /etc/crypto-policies/back-ends/bind.config + 8\.[0-1]$ @@ -24717,12 +24824,12 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s selinuxfs - - 20210617 - ^/dev\S*$ + + vfat + nosuid @@ -25200,15 +25307,15 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s - + - Security Content Tool 1.6.0 + Security Content Tool 1.7.0 5.11 - 2025-09-25T11:54:34 + 2026-01-05T02:27:51 - + RHEL 8 is installed @@ -25219,6 +25326,8 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + @@ -25227,8 +25336,20 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s + + + + + + + + toss-release + + + oraclelinux-release + redhat-release From fa8541320e06252b0b83143d8501511db2dd55d6 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 20:01:50 +0100 Subject: [PATCH 061/265] add new control RHEL-08-010015 --- products/rhel8/controls/stig_rhel8.yml | 8 ++++++++ tests/data/profile_stability/rhel8/stig.profile | 1 + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + 3 files changed, 10 insertions(+) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index b70ea1d7eab9..69e9d1704d48 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -97,6 +97,14 @@ controls: - security_patches_up_to_date status: automated + - id: RHEL-08-010015 + levels: + - high + title: RHEL 8 must have the crypto-policies package installed. + rules: + - package_crypto-policies_installed + status: automated + - id: RHEL-08-010020 levels: - high diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 60efb6228656..2e8ad63e40be 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -280,6 +280,7 @@ package_abrt-plugin-sosreport_removed package_abrt_removed package_aide_installed package_audit_installed +package_crypto-policies_installed package_fapolicyd_installed package_firewalld_installed package_gssproxy_removed diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 2c4efdbf7465..0d779ed17c7c 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -279,6 +279,7 @@ package_abrt-plugin-sosreport_removed package_abrt_removed package_aide_installed package_audit_installed +package_crypto-policies_installed package_fapolicyd_installed package_firewalld_installed package_gssproxy_removed From ce6bddbff37fe0bb05ac9acf91b235201bb8f7e7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 20:36:57 +0100 Subject: [PATCH 062/265] align RHEL-08-010020 with the latest STIG update --- products/rhel8/controls/stig_rhel8.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 69e9d1704d48..e2a106e37eea 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -72,7 +72,7 @@ controls: - var_time_service_set_maxpoll=18_hours # Enable / Configure FIPS - enable_fips_mode - - var_system_crypto_policy=fips + - var_system_crypto_policy=fips_stig - configure_crypto_policy - configure_bind_crypto_policy - configure_libreswan_crypto_policy @@ -108,21 +108,12 @@ controls: - id: RHEL-08-010020 levels: - high - title: 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision - digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest - protections in accordance with applicable federal laws, Executive Orders, directives, policies, - regulations, and standards.' + title: RHEL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy. rules: - - configure_bind_crypto_policy - configure_crypto_policy - - configure_kerberos_crypto_policy - - configure_libreswan_crypto_policy - - enable_dracut_fips_module - - enable_fips_mode - fips_crypto_subpolicy - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - - sysctl_crypto_fips_enabled + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010030 From f4fc667cd5335146732219d5359d68d1671dff3e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 20:44:42 +0100 Subject: [PATCH 063/265] create RHEL-08-010275 --- products/rhel8/controls/stig_rhel8.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index e2a106e37eea..e20884663c0f 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -337,6 +337,14 @@ controls: - file_groupowner_var_log status: automated + - id: RHEL-08-010275 + levels: + - medium + title: RHEL 8 must implement DOD-approved encryption in the bind package. + rules: + - configure_bind_crypto_policy + status: automated + - id: RHEL-08-010290 levels: - medium From b57c5ed064e067269dfbfb7adbb32e0868b1b9be Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 20:47:35 +0100 Subject: [PATCH 064/265] create RHEL-08-010280 --- products/rhel8/controls/stig_rhel8.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index e20884663c0f..b5d5d3be0bf7 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -345,6 +345,14 @@ controls: - configure_bind_crypto_policy status: automated + - id: RHEL-08-010280 + levels: + - medium + title: RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms. + rules: + - configure_libreswan_crypto_policy + status: automated + - id: RHEL-08-010290 levels: - medium From 466c48c9401d313f3e4a03153e65b89c883ff92b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 10:27:46 +0100 Subject: [PATCH 065/265] add RHEL-08-010270 --- products/rhel8/controls/stig_rhel8.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index b5d5d3be0bf7..02cd17a38518 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -337,6 +337,14 @@ controls: - file_groupowner_var_log status: automated + - id: RHEL-08-010270 + levels: + - high + title: RHEL 8 cryptographic policy must not be overridden. + rules: + - configure_crypto_policy + status: automated + - id: RHEL-08-010275 levels: - medium From 8a2fcb2bdd78561338e907b8a48cd237a2c8ec4e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 13:17:29 +0100 Subject: [PATCH 066/265] remove rules from generic control, they were duplicates or no longer needed --- products/rhel8/controls/stig_rhel8.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 02cd17a38518..0d0e7088ac97 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -72,12 +72,6 @@ controls: - var_time_service_set_maxpoll=18_hours # Enable / Configure FIPS - enable_fips_mode - - var_system_crypto_policy=fips_stig - - configure_crypto_policy - - configure_bind_crypto_policy - - configure_libreswan_crypto_policy - - configure_kerberos_crypto_policy - - enable_dracut_fips_module # Other needed rules - enable_authselect From 3bd211c31f210a6fb764753bd1c6ecde1a53ad77 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 13:21:10 +0100 Subject: [PATCH 067/265] modify controls which check for STIG-specific modifications to ssh server cryptopolicy --- products/rhel8/controls/stig_rhel8.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 0d0e7088ac97..188dff2ba512 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -360,8 +360,12 @@ controls: - medium title: The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. + notes: This is implemented by a special STIG subpolicy. rules: - - harden_sshd_macs_opensshserver_conf_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010291 @@ -369,8 +373,12 @@ controls: - medium title: The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality of SSH server connections. + notes: This is implemented by a special STIG subpolicy. rules: - - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010292 From 199d00f64785ec264f8bd71ef0458753694ce52d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 13:42:56 +0100 Subject: [PATCH 068/265] modify controls regarding SSH client macs and ciphers handled by special STIG subpolicy --- .../fips/fips_custom_stig_sub_policy/rule.yml | 1 + products/rhel8/controls/stig_rhel8.yml | 22 ++++++++++++------- shared/references/cce-redhat-avail.txt | 1 - 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml index 6e77c605a64b..d812375e6e5a 100644 --- a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86493-4 cce@rhel9: CCE-86570-9 references: diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 188dff2ba512..8e2cd0db840d 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -3229,20 +3229,26 @@ controls: - id: RHEL-08-010296 levels: - medium - title: RHEL 8 SSH client must be configured to use only Message Authentication Codes (MACs) employing - FIPS 140-3 validated cryptographic hash algorithms. + title: The RHEL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + notes: This is implemented by a special STIG subpolicy. rules: - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010297 levels: - medium - title: RHEL 8 SSH client must be configured to use only ciphers employing FIPS 140-3 validated - cryptographic hash algorithms. - rules: [] - status: pending + title: The RHEL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + notes: This is implemented by a special STIG subpolicy. + rules: + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig + status: automated - id: RHEL-08-010455 levels: diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index d854c03a3bec..3bb008e504e6 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -5,7 +5,6 @@ CCE-86482-7 CCE-86483-5 CCE-86484-3 CCE-86492-6 -CCE-86493-4 CCE-86494-2 CCE-86497-5 CCE-86498-3 From 5f2da3e9cb1e20ea59c410d280344d4cab2f9871 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 15:58:21 +0100 Subject: [PATCH 069/265] update the default profile to prevent removing rules from datastream --- products/rhel8/profiles/default.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 8b3cd0016da6..fb6bc81979d2 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -731,3 +731,6 @@ selections: - package_xorg-x11-server-common_removed - accounts_users_netrc_file_permissions - journald_forward_to_syslog + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sysctl_crypto_fips_enabled From 40cb382ca96c06612591af3e872b29d5042fe927 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 19:09:11 +0100 Subject: [PATCH 070/265] drop RHEL-08-010287 --- products/rhel8/controls/stig_rhel8.yml | 8 -------- tests/data/profile_stability/rhel8/stig.profile | 1 - tests/data/profile_stability/rhel8/stig_gui.profile | 1 - 3 files changed, 10 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 8e2cd0db840d..db1dca24bad0 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -2835,14 +2835,6 @@ controls: - sshd_set_idle_timeout status: automated - - id: RHEL-08-010287 - levels: - - medium - title: The RHEL 8 SSH daemon must be configured to use system-wide crypto policies. - rules: - - configure_ssh_crypto_policy - status: automated - - id: RHEL-08-010472 levels: - low diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 2e8ad63e40be..0ab7dbbd6b21 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -145,7 +145,6 @@ configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_openssl_crypto_policy configure_openssl_tls_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 0d779ed17c7c..b3e6b6d3b6c9 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -145,7 +145,6 @@ configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_openssl_crypto_policy configure_openssl_tls_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces From 07516a5b5771172965a57b72783a360fd1ed63f2 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 19:12:19 +0100 Subject: [PATCH 071/265] drop RHEL-08-010293 --- products/rhel8/controls/stig_rhel8.yml | 8 -------- tests/data/profile_stability/rhel8/stig.profile | 1 - tests/data/profile_stability/rhel8/stig_gui.profile | 1 - 3 files changed, 10 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index db1dca24bad0..2480e804eedf 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -389,14 +389,6 @@ controls: - sshd_use_strong_rng status: automated - - id: RHEL-08-010293 - levels: - - medium - title: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. - rules: - - configure_openssl_crypto_policy - status: automated - - id: RHEL-08-010294 levels: - medium diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 0ab7dbbd6b21..4944daadaa5b 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -143,7 +143,6 @@ configure_firewalld_ports configure_gnutls_tls_crypto_policy configure_kerberos_crypto_policy configure_libreswan_crypto_policy -configure_openssl_crypto_policy configure_openssl_tls_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index b3e6b6d3b6c9..3e606cedf879 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -143,7 +143,6 @@ configure_firewalld_ports configure_gnutls_tls_crypto_policy configure_kerberos_crypto_policy configure_libreswan_crypto_policy -configure_openssl_crypto_policy configure_openssl_tls_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny From d0db608714c0f74c5963924f188a424aa90458f8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 19:14:38 +0100 Subject: [PATCH 072/265] drop RHEL-08-010294 --- products/rhel8/controls/stig_rhel8.yml | 9 +-------- tests/data/profile_stability/rhel8/stig.profile | 1 - tests/data/profile_stability/rhel8/stig_gui.profile | 1 - 3 files changed, 1 insertion(+), 10 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 2480e804eedf..e45f5a5d1eae 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -389,15 +389,8 @@ controls: - sshd_use_strong_rng status: automated - - id: RHEL-08-010294 - levels: - - medium - title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. - rules: - - configure_openssl_tls_crypto_policy - status: automated - - id: RHEL-08-010295 + - id: RHEL-08-01029 levels: - medium title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 4944daadaa5b..9445ad03255a 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -143,7 +143,6 @@ configure_firewalld_ports configure_gnutls_tls_crypto_policy configure_kerberos_crypto_policy configure_libreswan_crypto_policy -configure_openssl_tls_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 3e606cedf879..ac7b4fe58bf3 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -143,7 +143,6 @@ configure_firewalld_ports configure_gnutls_tls_crypto_policy configure_kerberos_crypto_policy configure_libreswan_crypto_policy -configure_openssl_tls_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces From f683d136a45f06862c9ed62b73d029fc2dcf260e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 19:18:40 +0100 Subject: [PATCH 073/265] drop RHEL-08-010295 --- products/rhel8/controls/stig_rhel8.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index e45f5a5d1eae..f84d3dd8c608 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -389,15 +389,6 @@ controls: - sshd_use_strong_rng status: automated - - - id: RHEL-08-01029 - levels: - - medium - title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. - rules: - - configure_gnutls_tls_crypto_policy - status: automated - - id: RHEL-08-010300 levels: - medium From 3160aac92f92d3cbab47d29ff2d3c497a679fd49 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 3 Feb 2026 19:21:24 +0100 Subject: [PATCH 074/265] drop RHEL-08-040342 --- products/rhel8/controls/stig_rhel8.yml | 8 -------- tests/data/profile_stability/rhel8/stig.profile | 1 - tests/data/profile_stability/rhel8/stig_gui.profile | 1 - 3 files changed, 10 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index f84d3dd8c608..09ac3e95d201 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -3152,14 +3152,6 @@ controls: - selinux_user_login_roles status: automated - - id: RHEL-08-040342 - levels: - - medium - title: RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. - rules: - - sshd_use_approved_kex_ordered_stig - status: automated - - id: RHEL-08-010019 levels: - medium diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 9445ad03255a..a8089a7e0ed0 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -357,7 +357,6 @@ sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout sshd_set_keepalive -sshd_use_approved_kex_ordered_stig sshd_use_strong_rng sshd_x11_use_localhost sssd_certificate_verification diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index ac7b4fe58bf3..02f868575741 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -355,7 +355,6 @@ sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout sshd_set_keepalive -sshd_use_approved_kex_ordered_stig sshd_use_strong_rng sshd_x11_use_localhost sssd_certificate_verification From 64fcfd46b09c5c69bd261174bc0cb0480cae7851 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Feb 2026 14:30:34 +0100 Subject: [PATCH 075/265] update default profile to keep rules in the data stream --- products/rhel8/profiles/default.profile | 3 +++ tests/data/profile_stability/rhel8/stig.profile | 11 ++--------- tests/data/profile_stability/rhel8/stig_gui.profile | 11 ++--------- 3 files changed, 7 insertions(+), 18 deletions(-) diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index fb6bc81979d2..9b9d1816c25c 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -734,3 +734,6 @@ selections: - harden_sshd_ciphers_opensshserver_conf_crypto_policy - harden_sshd_macs_opensshserver_conf_crypto_policy - sysctl_crypto_fips_enabled + - configure_gnutls_tls_crypto_policy + - configure_openssl_tls_crypto_policy + - sshd_use_approved_kex_ordered_stig diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index a8089a7e0ed0..6fee750da315 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -140,8 +140,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_gnutls_tls_crypto_policy -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny @@ -173,7 +171,6 @@ disable_users_coredumps disallow_bypass_password_sudo display_login_attempts enable_authselect -enable_dracut_fips_module enable_fips_mode enable_gpgcheck_for_all_repositories encrypt_partitions @@ -207,6 +204,7 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages fips_crypto_subpolicy +fips_custom_stig_sub_policy firewalld-backend gnome_gdm_disable_automatic_login grub2_admin_username @@ -219,10 +217,6 @@ grub2_pti_argument grub2_uefi_admin_username grub2_uefi_password grub2_vsyscall_argument -harden_sshd_ciphers_openssh_conf_crypto_policy -harden_sshd_ciphers_opensshserver_conf_crypto_policy -harden_sshd_macs_openssh_conf_crypto_policy -harden_sshd_macs_opensshserver_conf_crypto_policy install_smartcard_packages installed_OS_is_vendor_supported kerberos_disable_no_keytab @@ -370,7 +364,6 @@ sudo_require_reauthentication sudo_restrict_privilege_elevation_to_authorized sudoers_default_includedir sudoers_validate_passwd -sysctl_crypto_fips_enabled sysctl_fs_protected_hardlinks sysctl_fs_protected_symlinks sysctl_kernel_core_pattern @@ -448,7 +441,7 @@ var_ssh_client_rekey_limit_time=1hour var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha1 var_sudo_timestamp_timeout=always_prompt -var_system_crypto_policy=fips +var_system_crypto_policy=fips_stig var_time_service_set_maxpoll=18_hours var_user_initialization_files_regex=all_dotfiles wireless_disable_interfaces diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 02f868575741..51605073e242 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -140,8 +140,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_gnutls_tls_crypto_policy -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_usbguard_auditbackend configured_firewalld_default_deny @@ -173,7 +171,6 @@ disable_users_coredumps disallow_bypass_password_sudo display_login_attempts enable_authselect -enable_dracut_fips_module enable_fips_mode enable_gpgcheck_for_all_repositories encrypt_partitions @@ -207,6 +204,7 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages fips_crypto_subpolicy +fips_custom_stig_sub_policy firewalld-backend gnome_gdm_disable_automatic_login grub2_admin_username @@ -219,10 +217,6 @@ grub2_pti_argument grub2_uefi_admin_username grub2_uefi_password grub2_vsyscall_argument -harden_sshd_ciphers_openssh_conf_crypto_policy -harden_sshd_ciphers_opensshserver_conf_crypto_policy -harden_sshd_macs_openssh_conf_crypto_policy -harden_sshd_macs_opensshserver_conf_crypto_policy install_smartcard_packages installed_OS_is_vendor_supported kerberos_disable_no_keytab @@ -368,7 +362,6 @@ sudo_require_reauthentication sudo_restrict_privilege_elevation_to_authorized sudoers_default_includedir sudoers_validate_passwd -sysctl_crypto_fips_enabled sysctl_fs_protected_hardlinks sysctl_fs_protected_symlinks sysctl_kernel_core_pattern @@ -446,7 +439,7 @@ var_ssh_client_rekey_limit_time=1hour var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha1 var_sudo_timestamp_timeout=always_prompt -var_system_crypto_policy=fips +var_system_crypto_policy=fips_stig var_time_service_set_maxpoll=18_hours var_user_initialization_files_regex=all_dotfiles wireless_disable_interfaces From 8bd7167f7f0bb4e2e9296bb03c4f602eb9732a06 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Feb 2026 11:13:38 +0100 Subject: [PATCH 076/265] add new control RHEL-08-020360 --- products/rhel8/controls/stig_rhel8.yml | 10 ++++++++++ tests/data/profile_stability/rhel8/stig.profile | 5 ++--- tests/data/profile_stability/rhel8/stig_gui.profile | 5 ++--- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 09ac3e95d201..aea4d514e123 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -1419,6 +1419,16 @@ controls: - accounts_umask_etc_profile status: automated + - id: RHEL-08-020353 + levels: + - medium + title: RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated + + - id: RHEL-08-030000 levels: - medium diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 6fee750da315..1f0a36e18083 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -35,10 +35,8 @@ accounts_passwords_pam_faillock_dir accounts_passwords_pam_faillock_interval accounts_passwords_pam_faillock_silent accounts_passwords_pam_faillock_unlock_time -accounts_umask_etc_bashrc -accounts_umask_etc_csh_cshrc +accounts_tmout accounts_umask_etc_login_defs -accounts_umask_etc_profile accounts_umask_interactive_users accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only @@ -403,6 +401,7 @@ var_accounts_minimum_age_login_defs=1 var_accounts_passwords_pam_faillock_deny=3 var_accounts_passwords_pam_faillock_fail_interval=900 var_accounts_passwords_pam_faillock_unlock_time=never +var_accounts_tmout=10_min var_accounts_user_umask=077 var_audit_backlog_limit=8192 var_auditd_action_mail_acct=root diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 51605073e242..89988d1a2991 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -35,10 +35,8 @@ accounts_passwords_pam_faillock_dir accounts_passwords_pam_faillock_interval accounts_passwords_pam_faillock_silent accounts_passwords_pam_faillock_unlock_time -accounts_umask_etc_bashrc -accounts_umask_etc_csh_cshrc +accounts_tmout accounts_umask_etc_login_defs -accounts_umask_etc_profile accounts_umask_interactive_users accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only @@ -401,6 +399,7 @@ var_accounts_minimum_age_login_defs=1 var_accounts_passwords_pam_faillock_deny=3 var_accounts_passwords_pam_faillock_fail_interval=900 var_accounts_passwords_pam_faillock_unlock_time=never +var_accounts_tmout=10_min var_accounts_user_umask=077 var_audit_backlog_limit=8192 var_auditd_action_mail_acct=root From 726cc9f9b20fb93291713dc76add2d26da5cc486 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 6 Feb 2026 16:49:05 +0100 Subject: [PATCH 077/265] add rule to rhel8 stig --- products/rhel8/controls/stig_rhel8.yml | 1 + tests/data/profile_stability/rhel8/stig.profile | 1 + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + 3 files changed, 3 insertions(+) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index aea4d514e123..1a92e6e946f2 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -976,6 +976,7 @@ controls: equivalent). rules: - partition_for_home + - accounts_user_interactive_home_directory_on_separate_partition status: automated - id: RHEL-08-010820 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 1f0a36e18083..7b2db3b82eb4 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -42,6 +42,7 @@ accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only accounts_user_interactive_home_directory_defined accounts_user_interactive_home_directory_exists +accounts_user_interactive_home_directory_on_separate_partition accounts_users_home_files_groupownership accounts_users_home_files_permissions aide_build_database diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 89988d1a2991..399a2b8da5de 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -42,6 +42,7 @@ accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only accounts_user_interactive_home_directory_defined accounts_user_interactive_home_directory_exists +accounts_user_interactive_home_directory_on_separate_partition accounts_users_home_files_groupownership accounts_users_home_files_permissions aide_build_database From 4a8f1f300ef0fe3f8cf2038f9939aa843b01dfac Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 12 Feb 2026 18:21:02 +0100 Subject: [PATCH 078/265] Invert order of datastreams comparison. It was considering the new datastream as the one from the fork point instead of the of from the pull request. --- .github/workflows/compare-ds.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/compare-ds.yaml b/.github/workflows/compare-ds.yaml index bb4b4041b990..b3589b71a88e 100644 --- a/.github/workflows/compare-ds.yaml +++ b/.github/workflows/compare-ds.yaml @@ -86,7 +86,7 @@ jobs: run: ./build_product ${{steps.product.outputs.prop}} --datastream-only - name: Compare datastreams if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - run: utils/compare_ds.py pr_artifacts/artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log + run: utils/compare_ds.py build/ssg-${{steps.product.outputs.prop}}-ds.xml pr_artifacts/artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log env: PYTHONPATH: ${{ github.workspace }} - name: Test if there are datastream changes From c8e41341162be6270280ab69772ce27ece7e2a7d Mon Sep 17 00:00:00 2001 From: Arden97 Date: Thu, 12 Feb 2026 21:15:41 +0100 Subject: [PATCH 079/265] update stig_rhel9 to v2r7 --- products/rhel9/controls/stig_rhel9.yml | 46 +++---------------- .../data/profile_stability/rhel9/stig.profile | 1 - .../profile_stability/rhel9/stig_gui.profile | 1 - 3 files changed, 7 insertions(+), 41 deletions(-) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 227fa056dea4..39bb4a26a47e 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -3,7 +3,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide' title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide' id: stig_rhel9 source: https://www.cyber.mil/stigs/downloads/ -version: V2R4 +version: V2R7 reference_type: stigid product: rhel9 @@ -1766,23 +1766,6 @@ controls: - sshd_enable_pam status: automated - - id: RHEL-09-255055 - levels: - - medium - title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies. - rules: - - file_sshd_50_redhat_exists - - sshd_include_crypto_policy - status: automated - - - id: RHEL-09-255060 - levels: - - medium - title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of - SSH client connections. - rules: - - sshd_include_crypto_policy - status: automated - id: RHEL-09-255064 title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client @@ -1795,9 +1778,10 @@ controls: - id: RHEL-09-255065 levels: - medium - title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of - SSH server connections. + title: The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing + FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. rules: + - sshd_include_crypto_policy - harden_sshd_ciphers_opensshserver_conf_crypto_policy - sshd_approved_ciphers=stig_rhel9 status: automated @@ -1872,6 +1856,7 @@ controls: - medium title: RHEL 9 SSH server configuration file must be group-owned by root. rules: + - file_sshd_50_redhat_exists - file_groupowner_sshd_config - directory_groupowner_sshd_config_d - file_groupowner_sshd_drop_in_config @@ -1882,6 +1867,7 @@ controls: - medium title: RHEL 9 SSH server configuration file must be owned by root. rules: + - file_sshd_50_redhat_exists - file_owner_sshd_config - directory_owner_sshd_config_d - file_owner_sshd_drop_in_config @@ -3281,14 +3267,6 @@ controls: roles appointed by the ISSM) to select which auditable events are to be audited. rules: - file_permissions_audit_configuration - status: automated - - - id: RHEL-09-653115 - levels: - - medium - title: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized - access. - rules: - file_permissions_etc_audit_auditd status: automated @@ -3831,7 +3809,7 @@ controls: - id: RHEL-09-672020 levels: - medium - title: RHEL 9 crypto policy must not be overridden. + title: RHEL 9 cryptographic policy must not be overridden. notes: Rules for this control are intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/ are symlinks is not an appropriate way to verify the consistency of the system's cryptographic settings. The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file. @@ -3841,16 +3819,6 @@ controls: More information can be found at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening status: pending - - id: RHEL-09-672025 - levels: - - medium - title: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive - orders, directives, policies, regulations, standards, and guidance for authentication to a - cryptographic module. - rules: - - configure_kerberos_crypto_policy - status: automated - - id: RHEL-09-672030 levels: - high diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index dc454159eb85..17ec849e8914 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -149,7 +149,6 @@ chronyd_specify_remote_server clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 03b8e1739af5..35aef8879876 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -149,7 +149,6 @@ chronyd_specify_remote_server clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend From fabc054a6220596f3a9d4c98c70e090f2ee867ed Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Tue, 10 Feb 2026 10:38:58 +0200 Subject: [PATCH 080/265] Fix test for dconf_gnome_screensaver_lock_enabled --- .../tests/comment.fail.sh | 8 ++++---- .../tests/correct_value.pass.sh | 4 ++-- .../tests/correct_value_unlocked.fail.sh | 2 +- .../tests/correct_value_wrong_db.fail.sh | 4 ++-- .../tests/wrong_value.fail.sh | 8 ++++---- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh index 727c75c9b9f6..df8d59312c91 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh @@ -7,9 +7,9 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_setting "org/gnome/desktop/lockdown", "disable-lock-screen", "true", "{{{ dconf_gdm_dir }}}", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "{{{ dconf_gdm_dir }}}", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "#disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}", "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} -add_dconf_setting "org/gnome/desktop/screensaver", "#lock-enabled", "true", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver", "lock-enabled", "local.d", "00-security-settings" +add_dconf_setting "org/gnome/desktop/screensaver" "#lock-enabled" "true" "local.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh index cafcf537ad09..4dfbde66f382 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh @@ -7,8 +7,8 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "{{{ dconf_gdm_dir }}}", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "{{{ dconf_gdm_dir }}}", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh index 2b1c071dfadc..c0993a206d03 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh @@ -7,7 +7,7 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "{{{ dconf_gdm_dir }}}", "00-security-settings" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh index ed706e42f5ed..af49dcf086ef 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh @@ -7,8 +7,8 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "dummy.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "dummy.d", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "dummy.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "dummy.d" "00-security-settings-lock" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "dummy.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "dummy.d" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh index 5eba9dd21a82..a27061680661 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh @@ -7,9 +7,9 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_setting "org/gnome/desktop/lockdown", "disable-lock-screen", "true", "{{{ dconf_gdm_dir }}}", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "{{{ dconf_gdm_dir }}}", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} -add_dconf_setting "org/gnome/desktop/screensaver", "lock-enabled", "false", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver", "lock-enabled", "local.d", "00-security-settings" +add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "false" "local.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" {{% endif %}} From 0a036fab2024f4010256e3bfd959d806f5d5417c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 13 Feb 2026 10:26:31 +0100 Subject: [PATCH 081/265] remov enable_fips_mode rule entirely Per the STIG prose, the requirement does not exist there anymore. Or more exactly, it is covered by implementing proper FIPS crypto policy. --- products/rhel8/controls/stig_rhel8.yml | 2 -- tests/data/profile_stability/rhel8/stig.profile | 1 - tests/data/profile_stability/rhel8/stig_gui.profile | 1 - 3 files changed, 4 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 1a92e6e946f2..e99a79e115f0 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -70,8 +70,6 @@ controls: - var_authselect_profile=sssd - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours - # Enable / Configure FIPS - - enable_fips_mode # Other needed rules - enable_authselect diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 7b2db3b82eb4..96093cf5a855 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -170,7 +170,6 @@ disable_users_coredumps disallow_bypass_password_sudo display_login_attempts enable_authselect -enable_fips_mode enable_gpgcheck_for_all_repositories encrypt_partitions ensure_epel_repos_disabled diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 399a2b8da5de..f9cec51a20b1 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -170,7 +170,6 @@ disable_users_coredumps disallow_bypass_password_sudo display_login_attempts enable_authselect -enable_fips_mode enable_gpgcheck_for_all_repositories encrypt_partitions ensure_epel_repos_disabled From 511bd447be467b6dc2d3187bb91a53e3d0546c06 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Fri, 13 Feb 2026 10:41:48 +0100 Subject: [PATCH 082/265] add configure_kerberos_crypto_policy to default profile --- products/rhel9/profiles/default.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 20b0a150da0c..876e5516b32a 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -13,6 +13,7 @@ description: |- is to keep a rule in the product's XCCDF Benchmark. selections: + - configure_kerberos_crypto_policy - sshd_use_strong_kex - sebool_nfsd_anon_write - sebool_squid_connect_any From d957578d7ac4390db014144f1c73f3b8328b1d37 Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Fri, 13 Feb 2026 12:45:29 +0100 Subject: [PATCH 083/265] remove Contest-based Fedora cTest execution This was likely a leftover from Beakerlib-era Fedora "downstream" testing - when we stopped doing it, we moved the only remaining valid test here. However since we run cTests via Github Actions in upstream, this extra test is likely unnecessary and complicates our Packit testing setup. Signed-off-by: Jiri Jaburek --- .packit.yaml | 5 ----- tests/tmt/plans/contest.fmf | 5 ----- 2 files changed, 10 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index 8d456d18d276..d4c670b20ed6 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -36,11 +36,6 @@ jobs: # when modifying this, modify also tests/tmt-plans/ -- <<: *test-static-checks - identifier: /rpmbuild-ctest-fedora - tmt_plan: /plans/contest/rpmbuild-ctest-fedora$ - targets: - fedora-all: {} - <<: *test-static-checks identifier: /hardening/host-os/ansible/anssi_bp28_high tmt_plan: /plans/contest/hardening/host-os/ansible/anssi_bp28_high$ diff --git a/tests/tmt/plans/contest.fmf b/tests/tmt/plans/contest.fmf index 39056e491125..aceb2a6e306f 100644 --- a/tests/tmt/plans/contest.fmf +++ b/tests/tmt/plans/contest.fmf @@ -123,8 +123,3 @@ report: # The value of this test is debatable and therefore it should not delay upstream gating. # Our SCAP datastream is often noncompliant from the start, for example by containing SCE checks. - /static-checks/nist-validation - - -# Fedora specific plan -/rpmbuild-ctest-fedora: - discover+: {test: /static-checks/rpmbuild-ctest} From 801e12e0dd58de7bbc2b59875473d0e63884b30f Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Fri, 13 Feb 2026 12:50:38 +0100 Subject: [PATCH 084/265] unify the fedora-cis test under one directory Keeping plans/tests separate is not necessary, and the use case is isolated enough that it makes sense to keep all pieces of it together. Signed-off-by: Jiri Jaburek --- .packit.yaml | 2 +- tests/tmt/fedora-cis/main.fmf | 22 ++++++++++++++++++++++ tests/tmt/{tests => }/fedora-cis/test.sh | 0 tests/tmt/plans/fedora-cis.fmf | 7 ------- tests/tmt/tests/fedora-cis/main.fmf | 11 ----------- 5 files changed, 23 insertions(+), 19 deletions(-) create mode 100644 tests/tmt/fedora-cis/main.fmf rename tests/tmt/{tests => }/fedora-cis/test.sh (100%) delete mode 100644 tests/tmt/plans/fedora-cis.fmf delete mode 100644 tests/tmt/tests/fedora-cis/main.fmf diff --git a/.packit.yaml b/.packit.yaml index d4c670b20ed6..e40a632e546d 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -150,6 +150,6 @@ jobs: - <<: *test-static-checks identifier: fedora-cis - tmt_plan: /plans/fedora-cis$ + tmt_plan: /fedora-cis/plan$ targets: fedora-all: {} diff --git a/tests/tmt/fedora-cis/main.fmf b/tests/tmt/fedora-cis/main.fmf new file mode 100644 index 000000000000..2fe6663887e8 --- /dev/null +++ b/tests/tmt/fedora-cis/main.fmf @@ -0,0 +1,22 @@ +/plan: + discover: + how: fmf + test: /fedora-cis/test + execute: + how: tmt + report: + how: html + +/test: + summary: Runs oscap remediation using the CIS profile + description: |- + This ensures that the CIS profile is in a fairly good condition on + Fedora, to be used for ComplyTime demos, and as a baseline profile + for the community to target if they choose to adapt the ComplyTime + tooling. + test: ./test.sh + duration: 1h + require: + - openscap-scanner + - openscap-report + - scap-security-guide diff --git a/tests/tmt/tests/fedora-cis/test.sh b/tests/tmt/fedora-cis/test.sh similarity index 100% rename from tests/tmt/tests/fedora-cis/test.sh rename to tests/tmt/fedora-cis/test.sh diff --git a/tests/tmt/plans/fedora-cis.fmf b/tests/tmt/plans/fedora-cis.fmf deleted file mode 100644 index 7045aba0a895..000000000000 --- a/tests/tmt/plans/fedora-cis.fmf +++ /dev/null @@ -1,7 +0,0 @@ -discover: - how: fmf - test: /tests/fedora-cis -execute: - how: tmt -report: - how: html diff --git a/tests/tmt/tests/fedora-cis/main.fmf b/tests/tmt/tests/fedora-cis/main.fmf deleted file mode 100644 index f4f82cb0cd8e..000000000000 --- a/tests/tmt/tests/fedora-cis/main.fmf +++ /dev/null @@ -1,11 +0,0 @@ -summary: Runs oscap remediation using the CIS profile -description: |- - This ensures that the CIS profile is in a fairly good condition on Fedora, - to be used for ComplyTime demos, and as a baseline profile for the community - to target if they choose to adapt the ComplyTime tooling. -test: ./test.sh -duration: 1h -require: - - openscap-scanner - - openscap-report - - scap-security-guide From 61a9ce6357123a0738be07ef0f46433766e6af1a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 13 Feb 2026 13:58:27 +0100 Subject: [PATCH 085/265] drop two more controls which no longer exist in the latest STIG --- products/rhel8/controls/stig_rhel8.yml | 16 ---------------- products/rhel8/profiles/default.profile | 1 + tests/data/profile_stability/rhel8/stig.profile | 2 -- .../profile_stability/rhel8/stig_gui.profile | 2 -- 4 files changed, 1 insertion(+), 20 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index e99a79e115f0..d1a89b634457 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -806,14 +806,6 @@ controls: - mount_option_nosuid_remote_filesystems status: automated - - id: RHEL-08-010660 - levels: - - medium - title: Local RHEL 8 initialization files must not execute world-writable programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated - - id: RHEL-08-010670 levels: - medium @@ -1375,14 +1367,6 @@ controls: - sshd_disable_empty_passwords status: automated - - id: RHEL-08-020340 - levels: - - low - title: RHEL 8 must display the date and time of the last successful account logon upon logon. - rules: - - display_login_attempts - status: automated - - id: RHEL-08-020350 levels: - medium diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 9b9d1816c25c..6865a9615f79 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -737,3 +737,4 @@ selections: - configure_gnutls_tls_crypto_policy - configure_openssl_tls_crypto_policy - sshd_use_approved_kex_ordered_stig + - accounts_user_dot_no_world_writable_programs diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 96093cf5a855..a07eb83d2943 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -38,7 +38,6 @@ accounts_passwords_pam_faillock_unlock_time accounts_tmout accounts_umask_etc_login_defs accounts_umask_interactive_users -accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only accounts_user_interactive_home_directory_defined accounts_user_interactive_home_directory_exists @@ -168,7 +167,6 @@ disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts enable_authselect enable_gpgcheck_for_all_repositories encrypt_partitions diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index f9cec51a20b1..52f48890ab39 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -38,7 +38,6 @@ accounts_passwords_pam_faillock_unlock_time accounts_tmout accounts_umask_etc_login_defs accounts_umask_interactive_users -accounts_user_dot_no_world_writable_programs accounts_user_home_paths_only accounts_user_interactive_home_directory_defined accounts_user_interactive_home_directory_exists @@ -168,7 +167,6 @@ disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts enable_authselect enable_gpgcheck_for_all_repositories encrypt_partitions From 18681272d513d6d23100a746e1b72b8397e6cdc1 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 13 Feb 2026 07:54:54 -0600 Subject: [PATCH 086/265] Update RHEL 9 STIG version in profile for V2R7 --- products/rhel9/profiles/stig.profile | 4 ++-- products/rhel9/profiles/stig_gui.profile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile index 25ec12884fcc..d2d156f5325f 100644 --- a/products/rhel9/profiles/stig.profile +++ b/products/rhel9/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 9 V2R6. + DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile index 84f6010b8bce..f4dd8575e3db 100644 --- a/products/rhel9/profiles/stig_gui.profile +++ b/products/rhel9/profiles/stig_gui.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 9 V2R6. + DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of From c6a68f039fde1be218f0f5bbf6aae0d62e49fe07 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 13 Feb 2026 15:13:32 +0100 Subject: [PATCH 087/265] update version in the profile --- products/rhel8/controls/stig_rhel8.yml | 2 +- products/rhel8/profiles/stig.profile | 4 ++-- products/rhel8/profiles/stig_gui.profile | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index d1a89b634457..a50b9e2e66a3 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -2,7 +2,7 @@ policy: Red Hat Enterprise Linux 8 Security Technical Implementation Guide title: Red Hat Enterprise Linux 8 Security Technical Implementation Guide id: stig_rhel8 -version: V2R5 +version: V2R6 source: https://www.cyber.mil/stigs/downloads reference_type: stigid product: rhel8 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 0369365b5d48..093b78a38b73 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R5 + version: V2R6 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V2R5. + DISA STIG for Red Hat Enterprise Linux 8 V2R6. In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index 6d3e322442a5..56f1126f614b 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R5 + version: V2R6 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R5. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R6. In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is applicable to the operating system tier of From 67d48fcc7b0da159dc3b6481d43d95bb342f9053 Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Fri, 13 Feb 2026 12:54:55 +0100 Subject: [PATCH 088/265] combine Packit jobs running Contest The new layout has much fewer jobs: - centos-stream-8-x86_64:contest-oscap - centos-stream-8-x86_64:contest-ansible - centos-stream-9-x86_64:contest-oscap - centos-stream-9-x86_64:contest-ansible - centos-stream-10-x86_64:contest-oscap - centos-stream-10-x86_64:contest-ansible while keeping at least some separation for re-running. Within each job, all tests still execute in parallel, as parallel tmt plans, so there shouldn't be any extra performance hit or added delay. The coalescing will however vastly reduce the amount of Testing Farm "requests", hopefully reducing load on TF a lot, in addition to reducing load on Github runners. --- I opted for defining the plans on the Contest side instead of in tests/tmt/ because support for plan importing (as we did before) is limited and ie. doesn't allow filtering by tags. Having the plans in Contest allows us to automatically filter out profiles which are subsets of others, tests that always fail by design, etc., etc. We also don't need to worry about which tests/profiles are on which CentOS Stream, since Contest has "adjust" rules for that already, and an empty plan is automatically SKIPPED by Testing Farm. Signed-off-by: Jiri Jaburek --- .packit.yaml | 135 +++++------------------------------- tests/tmt/plans/contest.fmf | 125 --------------------------------- 2 files changed, 17 insertions(+), 243 deletions(-) delete mode 100644 tests/tmt/plans/contest.fmf diff --git a/.packit.yaml b/.packit.yaml index e40a632e546d..9b9987caac16 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -23,133 +23,32 @@ jobs: trigger: commit branch: "gh-readonly-queue/.*" -- &test-static-checks +- &contest-oscap job: tests trigger: pull_request - fmf_path: tests/tmt - identifier: /static-checks - tmt_plan: /plans/contest/static-checks$ + fmf_url: https://github.com/RHSecurityCompliance/contest.git + fmf_ref: main + tmt_plan: /plans/upstream-parallel/oscap + identifier: contest-oscap targets: centos-stream-8: {} centos-stream-9: {} centos-stream-10: {} + tf_extra_params: + settings: + pipeline: + parallel-limit: 32 -# when modifying this, modify also tests/tmt-plans/ +- <<: *contest-oscap + tmt_plan: /plans/upstream-parallel/ansible + identifier: contest-ansible -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/anssi_bp28_high - tmt_plan: /plans/contest/hardening/host-os/ansible/anssi_bp28_high$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/bsi - tmt_plan: /plans/contest/hardening/host-os/ansible/bsi$ - targets: - centos-stream-9: {} - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ccn_advanced - tmt_plan: /plans/contest/hardening/host-os/ansible/ccn_advanced$ - targets: - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis - tmt_plan: /plans/contest/hardening/host-os/ansible/cis$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_server_l1 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_server_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_workstation_l1 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_workstation_l2 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l2$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cui - tmt_plan: /plans/contest/hardening/host-os/ansible/cui$ - targets: - centos-stream-8: {} - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/e8 - tmt_plan: /plans/contest/hardening/host-os/ansible/e8$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/hipaa - tmt_plan: /plans/contest/hardening/host-os/ansible/hipaa$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ism_o - tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ism_o_top_secret - tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o_top_secret$ - targets: - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ospp - tmt_plan: /plans/contest/hardening/host-os/ansible/ospp$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/pci-dss - tmt_plan: /plans/contest/hardening/host-os/ansible/pci-dss$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/stig - tmt_plan: /plans/contest/hardening/host-os/ansible/stig$ - -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/anssi_bp28_high - tmt_plan: /plans/contest/hardening/host-os/oscap/anssi_bp28_high$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/bsi - tmt_plan: /plans/contest/hardening/host-os/oscap/bsi$ - targets: - centos-stream-9: {} - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ccn_advanced - tmt_plan: /plans/contest/hardening/host-os/oscap/ccn_advanced$ - targets: - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis - tmt_plan: /plans/contest/hardening/host-os/oscap/cis$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_server_l1 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_server_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_workstation_l1 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_workstation_l2 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l2$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cui - tmt_plan: /plans/contest/hardening/host-os/oscap/cui$ - targets: - centos-stream-8: {} - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/e8 - tmt_plan: /plans/contest/hardening/host-os/oscap/e8$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/hipaa - tmt_plan: /plans/contest/hardening/host-os/oscap/hipaa$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ism_o - tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ism_o_top_secret - tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o_top_secret$ - targets: - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ospp - tmt_plan: /plans/contest/hardening/host-os/oscap/ospp$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/pci-dss - tmt_plan: /plans/contest/hardening/host-os/oscap/pci-dss$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/stig - tmt_plan: /plans/contest/hardening/host-os/oscap/stig$ +# when modifying anything below, modify also tests/tmt/ -- <<: *test-static-checks - identifier: fedora-cis +- job: tests + trigger: pull_request + fmf_path: tests/tmt tmt_plan: /fedora-cis/plan$ + identifier: fedora-cis targets: fedora-all: {} diff --git a/tests/tmt/plans/contest.fmf b/tests/tmt/plans/contest.fmf deleted file mode 100644 index aceb2a6e306f..000000000000 --- a/tests/tmt/plans/contest.fmf +++ /dev/null @@ -1,125 +0,0 @@ -discover: - how: fmf - url: https://github.com/RHSecurityCompliance/contest.git -execute: - how: tmt -adjust: - - environment: - CONTEST_VERBOSE: 0 -report: - how: html - -# -# Hardening via ansible-playbook remediation -# - -/hardening/host-os/ansible/anssi_bp28_high: - discover+: {test: /hardening/host-os/ansible/anssi_bp28_high$} - -/hardening/host-os/ansible/bsi: - discover+: {test: /hardening/host-os/ansible/bsi$} - -/hardening/host-os/ansible/ccn_advanced: - discover+: {test: /hardening/host-os/ansible/ccn_advanced$} - -/hardening/host-os/ansible/cis: - discover+: {test: /hardening/host-os/ansible/cis$} - -/hardening/host-os/ansible/cis_server_l1: - discover+: {test: /hardening/host-os/ansible/cis_server_l1$} - -/hardening/host-os/ansible/cis_workstation_l1: - discover+: {test: /hardening/host-os/ansible/cis_workstation_l1$} - -/hardening/host-os/ansible/cis_workstation_l2: - discover+: {test: /hardening/host-os/ansible/cis_workstation_l2$} - -/hardening/host-os/ansible/cui: - discover+: {test: /hardening/host-os/ansible/cui$} - -/hardening/host-os/ansible/e8: - discover+: {test: /hardening/host-os/ansible/e8$} - -/hardening/host-os/ansible/hipaa: - discover+: {test: /hardening/host-os/ansible/hipaa$} - -/hardening/host-os/ansible/ism_o: - discover+: {test: /hardening/host-os/ansible/ism_o$} - -/hardening/host-os/ansible/ism_o_top_secret: - discover+: {test: /hardening/host-os/ansible/ism_o_top_secret$} - -/hardening/host-os/ansible/ospp: - discover+: {test: /hardening/host-os/ansible/ospp$} - -/hardening/host-os/ansible/pci-dss: - discover+: {test: /hardening/host-os/ansible/pci-dss$} - -/hardening/host-os/ansible/stig: - discover+: {test: /hardening/host-os/ansible/stig$} - -# -# Hardening via oscap xccdf eval --remediate -# - -/hardening/host-os/oscap/anssi_bp28_high: - discover+: {test: /hardening/host-os/oscap/anssi_bp28_high$} - -/hardening/host-os/oscap/bsi: - discover+: {test: /hardening/host-os/oscap/bsi$} - -/hardening/host-os/oscap/ccn_advanced: - discover+: {test: /hardening/host-os/oscap/ccn_advanced$} - -/hardening/host-os/oscap/cis: - discover+: {test: /hardening/host-os/oscap/cis$} - -/hardening/host-os/oscap/cis_server_l1: - discover+: {test: /hardening/host-os/oscap/cis_server_l1$} - -/hardening/host-os/oscap/cis_workstation_l1: - discover+: {test: /hardening/host-os/oscap/cis_workstation_l1$} - -/hardening/host-os/oscap/cis_workstation_l2: - discover+: {test: /hardening/host-os/oscap/cis_workstation_l2$} - -/hardening/host-os/oscap/cui: - discover+: {test: /hardening/host-os/oscap/cui$} - -/hardening/host-os/oscap/e8: - discover+: {test: /hardening/host-os/oscap/e8$} - -/hardening/host-os/oscap/hipaa: - discover+: {test: /hardening/host-os/oscap/hipaa$} - -/hardening/host-os/oscap/ism_o: - discover+: {test: /hardening/host-os/oscap/ism_o$} - -/hardening/host-os/oscap/ism_o_top_secret: - discover+: {test: /hardening/host-os/oscap/ism_o_top_secret$} - -/hardening/host-os/oscap/ospp: - discover+: {test: /hardening/host-os/oscap/ospp$} - -/hardening/host-os/oscap/pci-dss: - discover+: {test: /hardening/host-os/oscap/pci-dss$} - -/hardening/host-os/oscap/stig: - discover+: {test: /hardening/host-os/oscap/stig$} - -# -# Misc smoke/sanity tests -# - -/static-checks: - discover+: - test: /static-checks - exclude: - # exclude here due to the test failing frequently for short periods - # of time, as many websites have temporary availability issues - - /static-checks/html-links - # these always fail, meant for manual review - - /static-checks/diff - # The value of this test is debatable and therefore it should not delay upstream gating. - # Our SCAP datastream is often noncompliant from the start, for example by containing SCE checks. - - /static-checks/nist-validation From 9d22ff9518bf5bce39d5e9a3e1581fe77f50f13f Mon Sep 17 00:00:00 2001 From: "red-hat-konflux-kflux-prd-rh02[bot]" <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com> Date: Fri, 13 Feb 2026 20:15:25 +0000 Subject: [PATCH 089/265] chore(deps): update dependency compliance-trestle to v3.12.0 Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bcca1c6c2aaf..5c95ce49307e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,6 +15,6 @@ pycompliance prometheus_client # used in utils/oscal requests -compliance-trestle==3.11.0 +compliance-trestle==3.12.0 pyopenssl>=23.2.0 pcre2 From 511cbbc8c43ad7ebe0f6637dbb1f70a52231cf1e Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sat, 14 Feb 2026 17:22:33 +0200 Subject: [PATCH 090/265] Drop unneeded sudo in bash remediation --- .../no_empty_passwords_etc_shadow/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh index dd8ad70a8c69..d844d60048b9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all -readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) +readarray -t users_with_empty_pass < <(awk -F: '!$2 {print $1}' /etc/shadow) for user_with_empty_pass in "${users_with_empty_pass[@]}" do From 42f5e04249caad17c6d07d0de69b8110e6afe200 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sat, 14 Feb 2026 17:43:46 +0200 Subject: [PATCH 091/265] add recursive for sle16 wtmp,btmp and lastlog not needed: sle16 uses pam_lastlog2.so (which writes in /var/lib/) --- .../system/permissions/files/permissions_local_var_log/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index af819ea482cb..1be0bd45ad28 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -63,6 +63,7 @@ template: filepath: /var/log/ recursive@sle12: 'true' recursive@sle15: 'true' + recursive@sle16: 'true' recursive@slmicro5: 'true' recursive@slmicro6: 'true' recursive@ubuntu2204: 'true' From ced8d1a97422d715709fb7809d5cb048eecbe5a5 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sat, 14 Feb 2026 17:51:12 +0200 Subject: [PATCH 092/265] SLE16 set filemode parameter for file_permissions_etc_shadow and file_permissions_backup_etc_shadow --- .../file_permissions_backup_etc_shadow/rule.yml | 1 + .../file_permissions_etc_shadow/rule.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index c2080fde3fcd..b3e300599f20 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -57,3 +57,4 @@ template: filemode@ubuntu2404: '0640' filemode@sle12: '0640' filemode@sle15: '0640' + filemode@sle16: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index e52241f482f1..1e0ec24f75d1 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -69,5 +69,6 @@ template: filemode@debian13: '0640' filemode@sle12: '0640' filemode@sle15: '0640' + filemode@sle16: '0640' filemode@ubuntu2204: '0640' filemode@ubuntu2404: '0640' From 43d65f87cc72ab67b62afb9a4274fd67d839a617 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sat, 14 Feb 2026 17:57:26 +0200 Subject: [PATCH 093/265] Enable sle16 remeditaions in grub2_enable_selinux --- .../system/selinux/grub2_enable_selinux/ansible/shared.yml | 2 +- .../guide/system/selinux/grub2_enable_selinux/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml index 38c97f2e8870..4ddfa4f42c56 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15,multi_platform_almalinux +# platform = SUSE Linux Enterprise 15,SUSE Linux Enterprise 16,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh index 997a564e0c71..b9c10607aa7b 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15,multi_platform_almalinux +# platform = SUSE Linux Enterprise 15,SUSE Linux Enterprise 16,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* From c76769a965f5195e39b5e6e967a570751c2aaacc Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 16 Feb 2026 17:02:36 +0100 Subject: [PATCH 094/265] Update list of contributors --- Contributors.md | 8 +++++++- Contributors.xml | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Contributors.md b/Contributors.md index 55250d73f1a4..101b83176b2f 100644 --- a/Contributors.md +++ b/Contributors.md @@ -1,5 +1,5 @@ The following people have contributed to the SCAP Security Guide project @@ -73,6 +73,7 @@ The following people have contributed to the SCAP Security Guide project * cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com> * Maura Dailey * Benjamin Deering +* Shane Dell * Klaas Demter * denknorr * dhanushkar-wso2 @@ -82,6 +83,7 @@ The following people have contributed to the SCAP Security Guide project * Marco De Donno * dperrone * drax +* Qingmin Duanmu * Sebastian Dunne * François Duthilleul * Greg Elin @@ -91,6 +93,8 @@ The following people have contributed to the SCAP Security Guide project * Evelyn * Alexis Facques * Jan Fader +* felixmarch +* Asser Schrøder Femø * Henry Finucane * Leah Fisher * Marco Fortina @@ -135,6 +139,7 @@ The following people have contributed to the SCAP Security Guide project * Simon John * Hunter Jones * Jono +* julius.ish * justchris1 * Kacper * Kai Kang @@ -303,6 +308,7 @@ The following people have contributed to the SCAP Security Guide project * Nico Truzzolino * Brian Turek * Matěj Týč +* Jörgen Uhr * VadimDor <29509093+VadimDor@users.noreply.github.com> * Trevor Vaughan * vtrubovics <82443408+vtrubovics@users.noreply.github.com> diff --git a/Contributors.xml b/Contributors.xml index edbff6a8b209..4ddf06841137 100644 --- a/Contributors.xml +++ b/Contributors.xml @@ -1,5 +1,5 @@ @@ -71,6 +71,7 @@ Last Modified: 2025-11-20 08:44 UTC cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com> Maura Dailey <maura@eclipse.ncsc.mil> Benjamin Deering <ben_deering@jeepingben.net> +Shane Dell <shanedell100@gmail.com> Klaas Demter <demter@atix.de> denknorr <dennis.knorr@suse.com> dhanushkar-wso2 <dhanushkar@wso2.com> @@ -80,6 +81,7 @@ Last Modified: 2025-11-20 08:44 UTC Marco De Donno <mdedonno1337@gmail.com> dperrone <dperrone@redhat.com> drax <applezip@gmail.com> +Qingmin Duanmu <qduanmu@redhat.com> Sebastian Dunne <sdunne@redhat.com> François Duthilleul <francoisduthilleul@gmail.com> Greg Elin <gregelin@gitmachines.com> @@ -89,6 +91,8 @@ Last Modified: 2025-11-20 08:44 UTC Evelyn <evansvevelyn@gmail.com> Alexis Facques <alexis.facques@mythalesgroup.io> Jan Fader <jan.fader@web.de> +felixmarch <felixmarch@users.noreply.github.com> +Asser Schrøder Femø <asser@asser.org> Henry Finucane <hfinucane@zscaler.com> Leah Fisher <lfisher047@gmail.com> Marco Fortina <marco_fortina@hotmail.it> @@ -133,6 +137,7 @@ Last Modified: 2025-11-20 08:44 UTC Simon John <sjohn@tuxcare.com> Hunter Jones <hjones2199@gmail.com> Jono <jono@ubuntu-18.localdomain> +julius.ish <julius.ish@zetier.com> justchris1 <justchris1@justchris1.email> Kacper <kacper@kacper.se> Kai Kang <kai.kang@windriver.com> @@ -301,6 +306,7 @@ Last Modified: 2025-11-20 08:44 UTC Nico Truzzolino <nico.truzzolino@gmx.de> Brian Turek <brian.turek@gmail.com> Matěj Týč <matyc@redhat.com> +Jörgen Uhr <jorgen.uhr@sitevision.se> VadimDor <29509093+VadimDor@users.noreply.github.com> Trevor Vaughan <tvaughan@onyxpoint.com> vtrubovics <82443408+vtrubovics@users.noreply.github.com> From c966314e6485f4a0819a09cd9b10d53726b80513 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 16 Feb 2026 17:25:09 +0100 Subject: [PATCH 095/265] Fix the logic of calculating if it displays next year or current. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The logic: if month <= latest_release_date.month Examples: 1. Latest release: November (month 11) → Next: February (month 2) - 2 <= 11 = True → year + 1 = 2026 ✓ 2. Latest release: August (month 8) → Next: November (month 11) - 11 <= 8 = False → same year ✓ 3. Latest release: February (month 2) → Next: May (month 5) - 5 <= 2 = False → same year ✓ --- utils/release_helper.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/release_helper.py b/utils/release_helper.py index e351a2f797f7..d123003997db 100755 --- a/utils/release_helper.py +++ b/utils/release_helper.py @@ -353,9 +353,10 @@ def get_next_stabilization_date(release_date: datetime) -> datetime: def get_next_release_date(latest_release_date: datetime) -> datetime: month = get_next_quarter_second_month(latest_release_date) - now = datetime.now(UTC) - if month > 9 and latest_release_date <= now: + # If the next release month is earlier in the year than the latest release month, + # it means we've wrapped around to the next year + if month <= latest_release_date.month: year = latest_release_date.year + 1 else: year = latest_release_date.year From 135910eb90fb52f2555d99bbab26839398f9f811 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 23 Jan 2026 13:43:29 -0600 Subject: [PATCH 096/265] Move to nproc over hard coded 2 to ensure we are fully using CI boxes. --- .github/workflows/gate-lint-ansible-roles.yaml | 2 +- .github/workflows/gate.yaml | 12 ++++++------ .github/workflows/gate_fedora.yml | 4 ++-- .github/workflows/gh-pages.yaml | 6 +++--- .github/workflows/nightly_build.yml | 8 ++++---- .github/workflows/release.yaml | 8 ++++---- .github/workflows/srg-mapping-table.yaml | 2 +- .github/workflows/stabilize.yaml | 8 ++++---- 8 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml index 4677e8c16fd9..dd540cb2beed 100644 --- a/.github/workflows/gate-lint-ansible-roles.yaml +++ b/.github/workflows/gate-lint-ansible-roles.yaml @@ -20,7 +20,7 @@ jobs: run: cmake -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -DSSG_PRODUCT_RHEL10=ON -G Ninja .. working-directory: ./build - name: Build - run: ninja -j2 rhel10-profile-playbooks rhel9-profile-playbooks rhel8-profile-playbooks + run: ninja -j$(nproc) rhel10-profile-playbooks rhel9-profile-playbooks rhel8-profile-playbooks working-directory: ./build - name: Build Ansible Roles run: PYTHONPATH=. python3 utils/ansible_playbook_to_role.py --build-playbooks-dir ./build/ansible/ --dry-run ./build/ansible_roles diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index ac71f9dcd90c..ed304455555f 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -37,7 +37,7 @@ jobs: - name: Build run: ./build_product sle12 sle15 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-suse: @@ -55,7 +55,7 @@ jobs: env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-debian: @@ -81,7 +81,7 @@ jobs: ./build_product debian11 debian12 debian13 - name: Test working-directory: ./build - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids validate-ubuntu-22-04: name: Build, Test on Ubuntu 22.04 @@ -99,7 +99,7 @@ jobs: run: |- ./build_product ubuntu2204 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-ubuntu-24-04: @@ -118,7 +118,7 @@ jobs: run: |- ./build_product ubuntu2404 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-fedora-rawhide: @@ -141,5 +141,5 @@ jobs: env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index d70d0507ab5b..27ddc8cdf3d0 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -24,7 +24,7 @@ jobs: run: pip install pcre2==0.4.0 -r requirements.txt -r test-requirements.txt - name: Build run: |- - ./build_product -j2 \ + ./build_product -j$(nproc) \ al2023 \ alinux2 \ alinux3 \ @@ -69,7 +69,7 @@ jobs: unzip /__w/content/content/old_release.zip -d /__w/content/content/old_release mv /__w/content/content/old_release/*/* /__w/content/content/old_release/ - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build - name: "Set git safe directory, ref: https://github.com/actions/checkout/issues/760" run: git config --global --add safe.directory "$GITHUB_WORKSPACE" diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index b18fbe5a6814..8fd1cd5d06b7 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -30,13 +30,13 @@ jobs: run: cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Debug working-directory: ./build - name: Build Guides and Mapping Tables - run: ninja -j2 + run: ninja -j$(nproc) working-directory: ./build - name: Build Statistics - run: ninja html-stats html-profile-stats -j2 + run: ninja html-stats html-profile-stats -j$(nproc) working-directory: ./build - name: Render Policies (Using control files) - run: ninja render-policies -j2 + run: ninja render-policies -j$(nproc) working-directory: ./build - name: Generate Prometheus Metrics run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 -f ./build/policies_metrics diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml index be4ec6457e5f..de6dd8846a79 100644 --- a/.github/workflows/nightly_build.yml +++ b/.github/workflows/nightly_build.yml @@ -20,16 +20,16 @@ jobs: run: cmake -G Ninja .. working-directory: ./build - name: Build All - run: ninja -j2 all + run: ninja -j$(nproc) all working-directory: ./build - name: Build ZIP - run: ninja -j2 zipfile + run: ninja -j$(nproc) zipfile working-directory: ./build - name: Test - run: ctest -j2 --output-on-failure -E linkchecker + run: ctest -j$(nproc) --output-on-failure -E linkchecker working-directory: ./build - name: Build Package Source - run: ninja -j2 package_source + run: ninja -j$(nproc) package_source working-directory: ./build - name: 'Upload Artifact' uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 71bec17c9275..cf3ef4c477a7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,16 +19,16 @@ jobs: run: cmake .. working-directory: ./build - name: Build All - run: make -j2 all + run: make -j$(nproc) all working-directory: ./build - name: Build ZIP - run: make -j2 zipfile + run: make -j$(nproc) zipfile working-directory: ./build - name: Test - run: ctest -j2 --output-on-failure -E linkchecker + run: ctest -j$(nproc) --output-on-failure -E linkchecker working-directory: ./build - name: Build Package Source - run: make -j2 package_source + run: make -j$(nproc) package_source working-directory: ./build - name: Set Version id: set_version diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 9a53ef550953..4771f2b008b7 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -30,7 +30,7 @@ jobs: run: cmake .. -G Ninja working-directory: ./build - name: Build - run: ninja -j2 rhel10 rhel9 ocp4 + run: ninja -j$(nproc) rhel10 rhel9 ocp4 working-directory: ./build - name: Build rule dir json run: python3 utils/rule_dir_json.py diff --git a/.github/workflows/stabilize.yaml b/.github/workflows/stabilize.yaml index ca18e3a388c4..57a80b63e741 100644 --- a/.github/workflows/stabilize.yaml +++ b/.github/workflows/stabilize.yaml @@ -24,7 +24,7 @@ jobs: run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DANSIBLE_CHECKS=ON -DENABLE_SCAPVAL13=ON -DSCAPVAL_PATH='/opt/scapval/SCAP-Content-Validation-Tool-1.3.5/scapval-1.3.5.jar' .. working-directory: ./build - name: Build All - run: make -j2 all + run: make -j$(nproc) all working-directory: ./build - name: Get SCAPVAL run: wget $SCAPVAL_URL/$SCAPVAL_FILENAME.zip @@ -32,12 +32,12 @@ jobs: run: mkdir -p /opt/scapval/ && unar $SCAPVAL_FILENAME.zip -o /opt/scapval/ - name: Run SCAPVal # Runs SCAPVal on all built datastream - run: ctest -j2 -R scapval --output-on-failure + run: ctest -j$(nproc) -R scapval --output-on-failure - name: Lint Check # Performs ansible-lint and yamllint checks on generated ansible playbooks - run: ctest -j2 -R ansible-playbook --output-on-failure + run: ctest -j$(nproc) -R ansible-playbook --output-on-failure working-directory: ./build - name: Link Check # Performs linkcheck across all build tables and html guides to ensure there are no broken references. - run: ctest -j2 -R linkchecker --output-on-failure + run: ctest -j$(nproc) -R linkchecker --output-on-failure working-directory: ./build From 33b465bc09adb8015f935e50389e2d4ca7207bcd Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 16 Feb 2026 19:51:39 +0100 Subject: [PATCH 097/265] Use correct date for the milestone creation. The release_helper.py script was using the current release date to create the due date of the new milestone. --- utils/release_helper.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/release_helper.py b/utils/release_helper.py index d123003997db..de6680283afa 100755 --- a/utils/release_helper.py +++ b/utils/release_helper.py @@ -242,10 +242,10 @@ def create_repo_milestone(repo, name) -> None: f'Stabilization phase starts on {formatted_date_stabilization}') try: repo.create_milestone( - title=name, description=milestone_description, due_on=estimated_release_date) + title=name, description=milestone_description, due_on=future_release_date) print(f'Milestone {name} successfully created with the following information:') print(f'Description: {milestone_description}') - print(f'Due on: {estimated_release_date}') + print(f'Due on: {future_release_date}') except Exception as e: print(f'Error: {e}') exit(1) From 474ff47131ab4e04132ea96228574f0ebf57829e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 16 Feb 2026 20:03:12 +0100 Subject: [PATCH 098/265] Bump version of development branch to 0.1.81. The stabilization has been created and we need to update the dev branch. --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 48b206911bb3..9879c57cf4f2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -33,7 +33,7 @@ include(SSGCommon) # Define Version values set(SSG_MAJOR_VERSION 0) set(SSG_MINOR_VERSION 1) -set(SSG_PATCH_VERSION 80) +set(SSG_PATCH_VERSION 81) set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}") set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.") From fbf1a1f3fcf5095688de87878b475183639863fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 17 Feb 2026 14:48:02 +0100 Subject: [PATCH 099/265] Add BSI to stable profiles This adds the BSI profile for RHEL 9 and for RHEL 10 to the profile stability data so that it can be tested by the `stable-profiles` CTest test. --- .../data/profile_stability/rhel10/bsi.profile | 216 ++++++++++++++++++ .../data/profile_stability/rhel9/bsi.profile | 196 ++++++++++++++++ 2 files changed, 412 insertions(+) create mode 100644 tests/data/profile_stability/rhel10/bsi.profile create mode 100644 tests/data/profile_stability/rhel9/bsi.profile diff --git a/tests/data/profile_stability/rhel10/bsi.profile b/tests/data/profile_stability/rhel10/bsi.profile new file mode 100644 index 000000000000..1742a8456cef --- /dev/null +++ b/tests/data/profile_stability/rhel10/bsi.profile @@ -0,0 +1,216 @@ +account_unique_id +account_unique_name +aide_build_database +aide_periodic_cron_checking +aide_scan_notification +audit_rules_continue_loading +audit_rules_dac_modification_chmod +audit_rules_dac_modification_chown +audit_rules_dac_modification_fchmod +audit_rules_dac_modification_fchmodat +audit_rules_dac_modification_fchmodat2 +audit_rules_dac_modification_fchown +audit_rules_dac_modification_fchownat +audit_rules_dac_modification_fremovexattr +audit_rules_dac_modification_fsetxattr +audit_rules_dac_modification_lchown +audit_rules_dac_modification_lremovexattr +audit_rules_dac_modification_lsetxattr +audit_rules_dac_modification_removexattr +audit_rules_dac_modification_setxattr +audit_rules_execution_chcon +audit_rules_execution_setfacl +audit_rules_login_events_faillock +audit_rules_login_events_lastlog +audit_rules_privileged_commands +audit_rules_privileged_commands_usermod +audit_rules_session_events +audit_rules_suid_auid_privilege_function +audit_rules_sysadmin_actions +audit_rules_usergroup_modification_group +audit_rules_usergroup_modification_gshadow +audit_rules_usergroup_modification_opasswd +audit_rules_usergroup_modification_passwd +audit_rules_usergroup_modification_shadow +audit_sudo_log_events +bios_disable_usb_boot +bios_enable_execution_restrictions +configure_firewalld_ports +directory_groupowner_sshd_config_d +directory_owner_sshd_config_d +directory_permissions_sshd_config_d +encrypt_partitions +fapolicy_default_deny +file_group_ownership_var_log_audit +file_groupowner_at_allow +file_groupowner_backup_etc_group +file_groupowner_backup_etc_gshadow +file_groupowner_backup_etc_passwd +file_groupowner_backup_etc_shadow +file_groupowner_cron_allow +file_groupowner_cron_d +file_groupowner_cron_daily +file_groupowner_cron_hourly +file_groupowner_cron_monthly +file_groupowner_cron_weekly +file_groupowner_cron_yearly +file_groupowner_crontab +file_groupowner_efi_grub2_cfg +file_groupowner_efi_user_cfg +file_groupowner_etc_group +file_groupowner_etc_gshadow +file_groupowner_etc_issue +file_groupowner_etc_issue_net +file_groupowner_etc_motd +file_groupowner_etc_passwd +file_groupowner_etc_security_opasswd +file_groupowner_etc_security_opasswd_old +file_groupowner_etc_shadow +file_groupowner_etc_shells +file_groupowner_grub2_cfg +file_groupowner_sshd_config +file_groupowner_sshd_drop_in_config +file_groupowner_user_cfg +file_groupownership_audit_binaries +file_groupownership_audit_configuration +file_groupownership_home_directories +file_groupownership_sshd_private_key +file_groupownership_sshd_pub_key +file_owner_at_allow +file_owner_backup_etc_group +file_owner_backup_etc_gshadow +file_owner_backup_etc_passwd +file_owner_backup_etc_shadow +file_owner_cron_allow +file_owner_cron_d +file_owner_cron_daily +file_owner_cron_hourly +file_owner_cron_monthly +file_owner_cron_weekly +file_owner_cron_yearly +file_owner_crontab +file_owner_efi_grub2_cfg +file_owner_efi_user_cfg +file_owner_etc_group +file_owner_etc_gshadow +file_owner_etc_issue +file_owner_etc_issue_net +file_owner_etc_motd +file_owner_etc_passwd +file_owner_etc_security_opasswd +file_owner_etc_security_opasswd_old +file_owner_etc_shadow +file_owner_etc_shells +file_owner_grub2_cfg +file_owner_sshd_config +file_owner_sshd_drop_in_config +file_owner_user_cfg +file_ownership_audit_binaries +file_ownership_audit_configuration +file_ownership_home_directories +file_ownership_sshd_private_key +file_ownership_sshd_pub_key +file_ownership_var_log_audit +file_permission_user_bash_history +file_permissions_at_allow +file_permissions_audit_binaries +file_permissions_audit_configuration +file_permissions_backup_etc_group +file_permissions_backup_etc_gshadow +file_permissions_backup_etc_passwd +file_permissions_backup_etc_shadow +file_permissions_cron_allow +file_permissions_cron_d +file_permissions_cron_daily +file_permissions_cron_hourly +file_permissions_cron_monthly +file_permissions_cron_weekly +file_permissions_cron_yearly +file_permissions_crontab +file_permissions_efi_grub2_cfg +file_permissions_efi_user_cfg +file_permissions_etc_group +file_permissions_etc_gshadow +file_permissions_etc_issue +file_permissions_etc_issue_net +file_permissions_etc_motd +file_permissions_etc_passwd +file_permissions_etc_security_opasswd +file_permissions_etc_security_opasswd_old +file_permissions_etc_shadow +file_permissions_etc_shells +file_permissions_grub2_cfg +file_permissions_home_directories +file_permissions_sshd_config +file_permissions_sshd_drop_in_config +file_permissions_sshd_private_key +file_permissions_sshd_pub_key +file_permissions_unauthorized_sgid +file_permissions_unauthorized_suid +file_permissions_unauthorized_world_writable +file_permissions_ungroupowned +file_permissions_user_cfg +file_permissions_var_log_audit +firewalld_sshd_port_enabled +gid_passwd_group_same +group_unique_id +group_unique_name +grub2_audit_argument +grub2_audit_backlog_limit_argument +grub2_enable_selinux +grub2_nousb_argument +grub2_rng_core_default_quality_argument +install_antivirus +install_endpoint_security_software +install_hids +kernel_module_bluetooth_disabled +kernel_module_cfg80211_disabled +kernel_module_firewire-core_disabled +kernel_module_iwlmvm_disabled +kernel_module_iwlwifi_disabled +kernel_module_mac80211_disabled +kernel_module_usb-storage_disabled +mask_nonessential_services +no_files_or_dirs_ungroupowned +no_files_or_dirs_unowned_by_user +only_allow_specific_certs +package_aide_installed +package_audit-libs_installed +package_audit_installed +package_cron_installed +package_fapolicyd_installed +package_firewalld_installed +package_libselinux_installed +package_telnet-server_removed +package_telnet_removed +partition_for_home +partition_for_opt +partition_for_tmp +partition_for_usr +partition_for_var +partition_for_var_log +partition_for_var_tmp +rpm_verify_hashes +rpm_verify_ownership +selinux_confinement_of_daemons +selinux_not_disabled +selinux_policytype +selinux_state +service_auditd_enabled +service_autofs_disabled +service_bluetooth_disabled +service_fapolicyd_enabled +service_firewalld_enabled +service_sshd_enabled +set_firewalld_appropriate_zone +sshd_allow_only_protocol2 +sshd_disable_empty_passwords +sshd_disable_root_password_login +sshd_enable_pubkey_auth +unnecessary_firewalld_services_ports_disabled +var_accounts_passwords_pam_faillock_dir=run +var_audit_backlog_limit=8192 +var_selinux_policy_name=targeted +var_selinux_state=enforcing +wireless_disable_in_bios +wireless_disable_interfaces diff --git a/tests/data/profile_stability/rhel9/bsi.profile b/tests/data/profile_stability/rhel9/bsi.profile new file mode 100644 index 000000000000..f58133592b00 --- /dev/null +++ b/tests/data/profile_stability/rhel9/bsi.profile @@ -0,0 +1,196 @@ +account_unique_id +account_unique_name +aide_build_database +aide_periodic_cron_checking +aide_scan_notification +audit_rules_dac_modification_chmod +audit_rules_dac_modification_chown +audit_rules_dac_modification_fchmod +audit_rules_dac_modification_fchmodat +audit_rules_dac_modification_fchown +audit_rules_dac_modification_fchownat +audit_rules_dac_modification_fremovexattr +audit_rules_dac_modification_fsetxattr +audit_rules_dac_modification_lchown +audit_rules_dac_modification_lremovexattr +audit_rules_dac_modification_lsetxattr +audit_rules_dac_modification_removexattr +audit_rules_dac_modification_setxattr +audit_rules_execution_chcon +audit_rules_execution_setfacl +audit_rules_login_events_faillock +audit_rules_login_events_lastlog +audit_rules_privileged_commands +audit_rules_privileged_commands_usermod +audit_rules_session_events +audit_rules_suid_auid_privilege_function +audit_rules_sysadmin_actions +audit_rules_usergroup_modification_group +audit_rules_usergroup_modification_gshadow +audit_rules_usergroup_modification_opasswd +audit_rules_usergroup_modification_passwd +audit_rules_usergroup_modification_shadow +audit_sudo_log_events +bios_disable_usb_boot +bios_enable_execution_restrictions +configure_firewalld_ports +encrypt_partitions +fapolicy_default_deny +file_group_ownership_var_log_audit +file_groupowner_at_allow +file_groupowner_backup_etc_group +file_groupowner_backup_etc_gshadow +file_groupowner_backup_etc_passwd +file_groupowner_backup_etc_shadow +file_groupowner_cron_allow +file_groupowner_cron_d +file_groupowner_cron_daily +file_groupowner_cron_hourly +file_groupowner_cron_monthly +file_groupowner_cron_weekly +file_groupowner_crontab +file_groupowner_efi_grub2_cfg +file_groupowner_efi_user_cfg +file_groupowner_etc_group +file_groupowner_etc_gshadow +file_groupowner_etc_issue +file_groupowner_etc_issue_net +file_groupowner_etc_motd +file_groupowner_etc_passwd +file_groupowner_etc_shadow +file_groupowner_etc_shells +file_groupowner_grub2_cfg +file_groupowner_sshd_config +file_groupowner_user_cfg +file_groupownership_audit_binaries +file_groupownership_audit_configuration +file_groupownership_home_directories +file_groupownership_sshd_private_key +file_groupownership_sshd_pub_key +file_owner_at_allow +file_owner_backup_etc_group +file_owner_backup_etc_gshadow +file_owner_backup_etc_passwd +file_owner_backup_etc_shadow +file_owner_cron_allow +file_owner_cron_d +file_owner_cron_daily +file_owner_cron_hourly +file_owner_cron_monthly +file_owner_cron_weekly +file_owner_crontab +file_owner_efi_grub2_cfg +file_owner_efi_user_cfg +file_owner_etc_group +file_owner_etc_gshadow +file_owner_etc_issue +file_owner_etc_issue_net +file_owner_etc_motd +file_owner_etc_passwd +file_owner_etc_shadow +file_owner_etc_shells +file_owner_grub2_cfg +file_owner_sshd_config +file_owner_user_cfg +file_ownership_audit_binaries +file_ownership_audit_configuration +file_ownership_home_directories +file_ownership_sshd_private_key +file_ownership_sshd_pub_key +file_ownership_var_log_audit +file_permissions_at_allow +file_permissions_audit_binaries +file_permissions_audit_configuration +file_permissions_backup_etc_group +file_permissions_backup_etc_gshadow +file_permissions_backup_etc_passwd +file_permissions_backup_etc_shadow +file_permissions_cron_allow +file_permissions_cron_d +file_permissions_cron_daily +file_permissions_cron_hourly +file_permissions_cron_monthly +file_permissions_cron_weekly +file_permissions_crontab +file_permissions_efi_grub2_cfg +file_permissions_efi_user_cfg +file_permissions_etc_group +file_permissions_etc_gshadow +file_permissions_etc_issue +file_permissions_etc_issue_net +file_permissions_etc_motd +file_permissions_etc_passwd +file_permissions_etc_shadow +file_permissions_etc_shells +file_permissions_grub2_cfg +file_permissions_home_directories +file_permissions_sshd_config +file_permissions_sshd_private_key +file_permissions_sshd_pub_key +file_permissions_unauthorized_sgid +file_permissions_unauthorized_suid +file_permissions_unauthorized_world_writable +file_permissions_ungroupowned +file_permissions_user_cfg +file_permissions_var_log_audit +firewalld_sshd_port_enabled +gid_passwd_group_same +group_unique_id +group_unique_name +grub2_audit_argument +grub2_audit_backlog_limit_argument +grub2_enable_selinux +grub2_nousb_argument +grub2_rng_core_default_quality_argument +install_antivirus +install_endpoint_security_software +install_hids +kernel_module_bluetooth_disabled +kernel_module_cfg80211_disabled +kernel_module_firewire-core_disabled +kernel_module_iwlmvm_disabled +kernel_module_iwlwifi_disabled +kernel_module_mac80211_disabled +kernel_module_usb-storage_disabled +mask_nonessential_services +only_allow_specific_certs +package_aide_installed +package_audit-libs_installed +package_audit_installed +package_cron_installed +package_fapolicyd_installed +package_firewalld_installed +package_libselinux_installed +package_telnet-server_removed +package_telnet_removed +partition_for_home +partition_for_opt +partition_for_tmp +partition_for_usr +partition_for_var +partition_for_var_log +partition_for_var_tmp +rpm_verify_hashes +rpm_verify_ownership +selinux_confinement_of_daemons +selinux_not_disabled +selinux_policytype +selinux_state +service_auditd_enabled +service_autofs_disabled +service_bluetooth_disabled +service_fapolicyd_enabled +service_firewalld_enabled +service_sshd_enabled +set_firewalld_appropriate_zone +sshd_allow_only_protocol2 +sshd_disable_empty_passwords +sshd_disable_root_password_login +sshd_enable_pubkey_auth +unnecessary_firewalld_services_ports_disabled +var_accounts_passwords_pam_faillock_dir=run +var_audit_backlog_limit=8192 +var_selinux_policy_name=targeted +var_selinux_state=enforcing +wireless_disable_in_bios +wireless_disable_interfaces From 241a701675525ad8abc19f17c882060f3479e5c0 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Tue, 17 Feb 2026 19:02:55 +0200 Subject: [PATCH 100/265] Update linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh Co-authored-by: Matthew Burket --- .../dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh index df8d59312c91..71bf01f44d5a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh @@ -7,7 +7,7 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_setting "org/gnome/desktop/lockdown" "#disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}", "00-security-settings" +add_dconf_setting "org/gnome/desktop/lockdown" "#disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "#lock-enabled" "true" "local.d" "00-security-settings" From 5ff7446f179e2b889e070a27ba258ba2949406d2 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 17 Feb 2026 16:12:25 -0600 Subject: [PATCH 101/265] Ignore user-specific CLAUDE files --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index cafff35ee5ea..7e03e62a5433 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,6 @@ coverage.xml # Trestle specfic shared/references/oscal/.trestle/cache + +# Ignore user-specific CLAUDE preferences +CLAUDE.local.md From 2643a65e00c910685440b61c849b018c4476c13b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 02:43:13 +0000 Subject: [PATCH 102/265] Bump tj-actions/changed-files from 47.0.2 to 47.0.4 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.2 to 47.0.4. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/8cba46e29c11878d930bca7870bb54394d3e8b21...7dee1b0c1557f278e5c7dc244927139d78c0e22a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/sync-cac-oscal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-cac-oscal.yml b/.github/workflows/sync-cac-oscal.yml index d1b03ec3167a..7b7def566038 100644 --- a/.github/workflows/sync-cac-oscal.yml +++ b/.github/workflows/sync-cac-oscal.yml @@ -73,7 +73,7 @@ jobs: # Step 6: Get changed files and detect updates - name: Get changed files if: ${{ env.SKIP == 'false' }} - uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # v47.0.2 + uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4 id: changed-files with: path: "cac-content" From a769e088c018cf2d530e9e2c95acda6ade6c7036 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:12:00 +0200 Subject: [PATCH 103/265] Create sle16 anssi_bp28_high.profile --- .../sle16/profiles/anssi_bp28_high.profile | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 products/sle16/profiles/anssi_bp28_high.profile diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile new file mode 100644 index 000000000000..9884a6c214f5 --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_high.profile @@ -0,0 +1,125 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (high)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:high + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!accounts_password_pam_dcredit' + - '!accounts_password_pam_lcredit' + - '!accounts_password_pam_minclass' + - '!accounts_password_pam_minlen' + - '!accounts_password_pam_ocredit' + - '!accounts_password_pam_retry' + - '!accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_remember' + - '!accounts_password_pam_unix_rounds_password_auth' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_faillock_deny_root' + - '!accounts_passwords_pam_faillock_deny' + - '!accounts_passwords_pam_faillock_interval' + - '!accounts_passwords_pam_faillock_unlock_time' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!aide_periodic_cron_checking' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_dac_modification_fchmodat2' + - '!audit_rules_file_deletion_events_renameat2' + - '!audit_rules_immutable' + - '!audit_rules_mac_modification_etc_selinux' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_etc_chrony_keys' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!grub2_mds_argument' + - '!grub2_page_alloc_shuffle_argument' + - '!grub2_page_poison_argument' + - '!grub2_pti_argument' + - '!grub2_slub_debug_argument' + - '!kernel_config_arm64_sw_ttbr0_pan' + - '!kernel_config_bug_on_data_corruption' + - '!kernel_config_debug_wx' + - '!kernel_config_fortify_source' + - '!kernel_config_gcc_plugin_latent_entropy' + - '!kernel_config_gcc_plugin_randstruct' + - '!kernel_config_gcc_plugin_stackleak' + - '!kernel_config_gcc_plugin_structleak_byref_all' + - '!kernel_config_gcc_plugin_structleak' + - '!kernel_config_hardened_usercopy_fallback' + - '!kernel_config_hardened_usercopy' + - '!kernel_config_legacy_vsyscall_emulate' + - '!kernel_config_legacy_vsyscall_none' + - '!kernel_config_legacy_vsyscall_xonly' + - '!kernel_config_modify_ldt_syscall' + - '!kernel_config_page_poisoning' + - '!kernel_config_refcount_full' + - '!kernel_config_sched_stack_end_check' + - '!kernel_config_slab_freelist_hardened' + - '!kernel_config_slab_freelist_random' + - '!kernel_config_slab_merge_default' + - '!kernel_config_stackprotector_strong' + - '!kernel_config_stackprotector' + - '!kernel_config_strict_kernel_rwx' + - '!kernel_config_strict_module_rwx' + - '!kernel_config_vmap_stack' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!mount_option_tmp_noexec' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_kea_removed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_sequoia-sq_installed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' + - '!service_chronyd_enabled' + - '!set_password_hashing_algorithm_systemauth' + - '!sysctl_fs_protected_fifos' + - '!sysctl_fs_protected_regular' + - '!sysctl_kernel_unprivileged_bpf_disabled' + - '!sysctl_kernel_yama_ptrace_scope' + - '!sysctl_net_core_bpf_jit_harden' + - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' + - '!sysctl_net_ipv6_conf_all_autoconf' + - '!timer_dnf-automatic_enabled' From 003114820cf543d0071a2fcc830d890fdc5aa600 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:12:30 +0200 Subject: [PATCH 104/265] Create sle16 anssi_bp28_enhanced.profile --- .../profiles/anssi_bp28_enhanced.profile | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 products/sle16/profiles/anssi_bp28_enhanced.profile diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile new file mode 100644 index 000000000000..f93536a0114c --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_enhanced.profile @@ -0,0 +1,97 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (enhanced)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:enhanced + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!accounts_password_pam_dcredit' + - '!accounts_password_pam_lcredit' + - '!accounts_password_pam_minclass' + - '!accounts_password_pam_minlen' + - '!accounts_password_pam_ocredit' + - '!accounts_password_pam_retry' + - '!accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_remember' + - '!accounts_password_pam_unix_rounds_password_auth' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_faillock_deny_root' + - '!accounts_passwords_pam_faillock_deny' + - '!accounts_passwords_pam_faillock_interval' + - '!accounts_passwords_pam_faillock_unlock_time' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_dac_modification_fchmodat2' + - '!audit_rules_file_deletion_events_renameat2' + - '!audit_rules_immutable' + - '!audit_rules_mac_modification_etc_selinux' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_etc_chrony_keys' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!grub2_mds_argument' + - '!grub2_page_alloc_shuffle_argument' + - '!grub2_page_poison_argument' + - '!grub2_pti_argument' + - '!grub2_slub_debug_argument' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!mount_option_tmp_noexec' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_kea_removed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_sequoia-sq_installed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!service_chronyd_enabled' + - '!set_password_hashing_algorithm_systemauth' + - '!sysctl_fs_protected_fifos' + - '!sysctl_fs_protected_regular' + - '!sysctl_kernel_unprivileged_bpf_disabled' + - '!sysctl_kernel_yama_ptrace_scope' + - '!sysctl_net_core_bpf_jit_harden' + - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' + - '!sysctl_net_ipv6_conf_all_autoconf' + - '!timer_dnf-automatic_enabled' From 6cadd74b25863ae72cde1b82c38e6d70d979e770 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:13:15 +0200 Subject: [PATCH 105/265] Create sle16 anssi_bp28_intermediary.profile --- .../profiles/anssi_bp28_intermediary.profile | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 products/sle16/profiles/anssi_bp28_intermediary.profile diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile new file mode 100644 index 000000000000..dd68326e7307 --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_intermediary.profile @@ -0,0 +1,82 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (intermediary)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:intermediary + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!accounts_password_pam_dcredit' + - '!accounts_password_pam_lcredit' + - '!accounts_password_pam_minclass' + - '!accounts_password_pam_minlen' + - '!accounts_password_pam_ocredit' + - '!accounts_password_pam_retry' + - '!accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_remember' + - '!accounts_password_pam_unix_rounds_password_auth' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_faillock_deny_root' + - '!accounts_passwords_pam_faillock_deny' + - '!accounts_passwords_pam_faillock_interval' + - '!accounts_passwords_pam_faillock_unlock_time' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_etc_chrony_keys' + - '!grub2_mds_argument' + - '!grub2_page_alloc_shuffle_argument' + - '!grub2_page_poison_argument' + - '!grub2_pti_argument' + - '!grub2_slub_debug_argument' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!mount_option_tmp_noexec' + - '!no_nis_in_nsswitch' + - '!package_dnf-automatic_installed' + - '!package_kea_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_sequoia-sq_installed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!set_password_hashing_algorithm_systemauth' + - '!sysctl_fs_protected_fifos' + - '!sysctl_fs_protected_regular' + - '!sysctl_kernel_unprivileged_bpf_disabled' + - '!sysctl_kernel_yama_ptrace_scope' + - '!sysctl_net_core_bpf_jit_harden' + - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' + - '!sysctl_net_ipv6_conf_all_autoconf' + - '!timer_dnf-automatic_enabled' From bb6dfb01a0e93098ae32989c8c9446f8c7478019 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:13:40 +0200 Subject: [PATCH 106/265] Create sle16 anssi_bp28_minimal.profile --- .../sle16/profiles/anssi_bp28_minimal.profile | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 products/sle16/profiles/anssi_bp28_minimal.profile diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile new file mode 100644 index 000000000000..0fbb44696a92 --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_minimal.profile @@ -0,0 +1,65 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (minimal)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:minimal + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!accounts_password_pam_dcredit' + - '!accounts_password_pam_lcredit' + - '!accounts_password_pam_minclass' + - '!accounts_password_pam_minlen' + - '!accounts_password_pam_ocredit' + - '!accounts_password_pam_retry' + - '!accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_remember' + - '!accounts_password_pam_unix_rounds_password_auth' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_faillock_deny_root' + - '!accounts_passwords_pam_faillock_deny' + - '!accounts_passwords_pam_faillock_interval' + - '!accounts_passwords_pam_faillock_unlock_time' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!package_dnf-automatic_installed' + - '!package_kea_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_sequoia-sq_installed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!set_password_hashing_algorithm_systemauth' + - '!timer_dnf-automatic_enabled' From a03ff8be7d70c0fb6f05f719a367ba059bc2f0ec Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:15:53 +0200 Subject: [PATCH 107/265] Update rule service_sssd_enabled to support sle16 --- linux_os/guide/services/sssd/service_sssd_enabled/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml index e5f043748371..c3ac65d29cb5 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml +++ b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml @@ -38,6 +38,7 @@ template: vars: servicename: sssd packagename: sssd-common + packagename@sle16: sssd warnings: - general: From 669e3490f8af62ea6bfad70beba82604b8989e5d Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:16:43 +0200 Subject: [PATCH 108/265] Update rule sssd_ldap_configure_tls_reqcert to support sle16 --- .../sssd_ldap_configure_tls_reqcert/ansible/shared.yml | 2 +- .../sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml index f8f3cd3e5fff..c7e0de641d6e 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh index d228b8cdb0e4..a55a8e9786c9 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle {{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand", rule_id=rule_id) }}} From ecd5eff6bc41f1ab419377fea8d066a046c52d2c Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:18:16 +0200 Subject: [PATCH 109/265] Update rule sssd_ldap_start_tls to support sle16 --- .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 +- .../services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 0a1efcabc2aa..1230b6463461 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh index 66f05ab54493..4ca2e31d7bc0 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle {{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true", rule_id=rule_id) }}} From 5759467091bde286ac3d0f8b9eae16b344df13e1 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:18:56 +0200 Subject: [PATCH 110/265] Update rule accounts_password_set_max_life_root to support sle16 --- .../accounts_password_set_max_life_root/ansible/shared.yml | 2 +- .../accounts_password_set_max_life_root/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml index ebcb5ac0430d..66e566378c67 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh index 7bdb759f686f..b0f38d581bc0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_debian +# platform = multi_platform_debian,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low From e3da7beb7162caead4513905bdc108d263a8ed2e Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 18 Feb 2026 10:19:36 +0200 Subject: [PATCH 111/265] Update rule grub2_password to support sle16 --- .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index c605b0770177..c1f8cd5e485f 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -9,14 +9,14 @@ description: |-

Since plaintext passwords are a security risk, generate a hash for the password by running the following command: - {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}} + {{% if 'sle' in product or 'slmicro' in product or 'ubuntu' in product %}} 
# grub2-mkpasswd-pbkdf2
{{% else %}} 
# grub2-setpassword
{{% endif %}} When prompted, enter the password that was selected.

- {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}} + {{% if 'sle' in product or 'slmicro' in product or 'ubuntu' in product %}} Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content: 
set superusers="boot"

From 72fe9a198b51a1737e1f25ab39ae3d9610597725 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 10:20:06 +0200
Subject: [PATCH 112/265] Update rule ensure_logrotate_activated ti support
 sle16

---
 .../log_rotation/ensure_logrotate_activated/oval/shared.xml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
index 907b69cc31e3..fc8a7ba8688b 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
@@ -11,7 +11,7 @@
       test_ref="test_logrotate_conf_no_other_keyword" />
       
         
-{{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
+{{% if 'sle' in product or product in ["ol9", "rhcos4", "rhel9", "rhel10", "slmicro5"] %}}
         
 {{% endif %}}
       
@@ -54,7 +54,7 @@
     1
   
 
-  {{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
+  {{% if 'sle' in product or product in ["ol9", "rhcos4", "rhel9", "rhel10", "slmicro5"] %}}
   

From d579dd9517a17d46bf1dbb196d90b6c34a9f2a74 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 10:20:36 +0200
Subject: [PATCH 113/265] Update rule package_rsyslog-gnutls_installed to
 support sle16

---
 .../system/logging/package_rsyslog-gnutls_installed/rule.yml     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
index da05bbd7db9b..3bf6d1eaf6f5 100644
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
@@ -42,6 +42,7 @@ template:
         pkgname: rsyslog-gnutls
         pkgname@sle12: rsyslog-module-gtls
         pkgname@sle15: rsyslog-module-gtls
+        pkgname@sle16: rsyslog-module-gtls
 
 fixtext: |-
     {{% if 'sle' not in product %}}

From b8b9aaca7211e22c719fed0799cff4b72150e74f Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 10:48:15 +0200
Subject: [PATCH 114/265] Add sle16 cces

---
 .../rule.yml                                  |   1 +
 .../audit_rules_privileged_commands/rule.yml  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../ntp/file_owner_etc_chrony_keys/rule.yml   |   1 +
 .../file_permissions_etc_chrony_keys/rule.yml |   1 +
 .../ssh/file_groupowner_sshd_config/rule.yml  |   1 +
 .../rule.yml                                  |   1 +
 .../file_groupownership_sshd_pub_key/rule.yml |   1 +
 .../ssh/file_owner_sshd_config/rule.yml       |   1 +
 .../file_ownership_sshd_private_key/rule.yml  |   1 +
 .../ssh/file_ownership_sshd_pub_key/rule.yml  |   1 +
 .../sssd/package_sssd_installed/rule.yml      |   1 +
 .../sssd/service_sssd_enabled/rule.yml        |   1 +
 .../sssd_ldap_configure_tls_reqcert/rule.yml  |   1 +
 .../sssd-ldap/sssd_ldap_start_tls/rule.yml    |   1 +
 .../sssd/sssd_enable_pam_services/rule.yml    |   1 +
 .../enable_pam_namespace/rule.yml             |   2 +-
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../accounts_polyinstantiated_tmp/rule.yml    |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../accounts_user_dot_user_ownership/rule.yml |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_permission_user_init_files/rule.yml  |   1 +
 .../accounts_umask_etc_bashrc/rule.yml        |   1 +
 .../accounts_umask_etc_login_defs/rule.yml    |   1 +
 .../accounts_umask_etc_profile/rule.yml       |   1 +
 .../grub2_enable_iommu_force/rule.yml         |   2 +-
 .../grub2_l1tf_argument/rule.yml              |   1 +
 .../grub2_mce_argument/rule.yml               |   1 +
 .../grub2_nosmap_argument_absent/rule.yml     |   1 +
 .../rule.yml                                  |   1 +
 .../grub2_slab_nomerge_argument/rule.yml      |   1 +
 .../rule.yml                                  |   1 +
 .../file_groupowner_efi_grub2_cfg/rule.yml    |   1 +
 .../file_groupowner_efi_user_cfg/rule.yml     |   1 +
 .../uefi/file_owner_efi_grub2_cfg/rule.yml    |   1 +
 .../uefi/file_owner_efi_user_cfg/rule.yml     |   1 +
 .../file_permissions_efi_grub2_cfg/rule.yml   |   1 +
 .../file_permissions_efi_user_cfg/rule.yml    |   1 +
 .../kernel_config_acpi_custom_method/rule.yml |   1 +
 .../kernel_config_binfmt_misc/rule.yml        |   1 +
 .../kernel_config_bug/rule.yml                |   1 +
 .../kernel_config_compat_brk/rule.yml         |   1 +
 .../kernel_config_compat_vdso/rule.yml        |   1 +
 .../kernel_config_debug_credentials/rule.yml  |   1 +
 .../kernel_config_debug_fs/rule.yml           |   1 +
 .../kernel_config_debug_list/rule.yml         |   1 +
 .../kernel_config_debug_notifiers/rule.yml    |   1 +
 .../kernel_config_debug_sg/rule.yml           |   1 +
 .../rule.yml                                  |   1 +
 .../kernel_config_devkmem/rule.yml            |   1 +
 .../kernel_config_hibernation/rule.yml        |   1 +
 .../kernel_config_ia32_emulation/rule.yml     |   1 +
 .../kernel_config_kexec/rule.yml              |   1 +
 .../kernel_config_legacy_ptys/rule.yml        |   1 +
 .../kernel_config_module_sig/rule.yml         |   1 +
 .../kernel_config_module_sig_all/rule.yml     |   1 +
 .../kernel_config_module_sig_force/rule.yml   |   1 +
 .../kernel_config_module_sig_hash/rule.yml    |   1 +
 .../kernel_config_module_sig_key/rule.yml     |   1 +
 .../kernel_config_module_sig_sha512/rule.yml  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../kernel_config_panic_on_oops/rule.yml      |   1 +
 .../kernel_config_panic_timeout/rule.yml      |   1 +
 .../kernel_config_proc_kcore/rule.yml         |   1 +
 .../kernel_config_randomize_base/rule.yml     |   1 +
 .../kernel_config_randomize_memory/rule.yml   |   1 +
 .../kernel_config_retpoline/rule.yml          |   1 +
 .../kernel_config_seccomp/rule.yml            |   1 +
 .../kernel_config_seccomp_filter/rule.yml     |   1 +
 .../kernel_config_security/rule.yml           |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../kernel_config_security_yama/rule.yml      |   1 +
 .../kernel_config_slub_debug/rule.yml         |   1 +
 .../kernel_config_syn_cookies/rule.yml        |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../ensure_logrotate_activated/rule.yml       |   1 +
 .../package_rsyslog-gnutls_installed/rule.yml |   1 +
 .../rsyslog_remote_tls/rule.yml               |   1 +
 .../rsyslog_remote_tls_cacert/rule.yml        |   1 +
 .../directory_groupowner_etc_ipsecd/rule.yml  |   1 +
 .../directory_owner_etc_ipsecd/rule.yml       |   1 +
 .../directory_permissions_etc_ipsecd/rule.yml |   1 +
 .../file_groupowner_etc_ipsec_conf/rule.yml   |   1 +
 .../rule.yml                                  |   1 +
 .../file_owner_etc_ipsec_conf/rule.yml        |   1 +
 .../file_owner_etc_ipsec_secrets/rule.yml     |   1 +
 .../file_permissions_etc_ipsec_conf/rule.yml  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../directory_owner_etc_iptables/rule.yml     |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../sysctl_net_ipv4_tcp_rfc1337/rule.yml      |   1 +
 .../rule.yml                                  |   1 +
 .../directory_owner_etc_nftables/rule.yml     |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../dir_system_commands_root_owned/rule.yml   |   1 +
 .../file_groupowner_etc_crypttab/rule.yml     |   1 +
 .../files/file_groupowner_systemmap/rule.yml  |   1 +
 .../files/file_owner_etc_crypttab/rule.yml    |   1 +
 .../files/file_owner_systemmap/rule.yml       |   1 +
 .../file_permissions_etc_crypttab/rule.yml    |   1 +
 .../files/file_permissions_systemmap/rule.yml |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_groupowner_etc_gshadow/rule.yml      |   1 +
 .../file_groupowner_etc_shells/rule.yml       |   1 +
 .../file_owner_etc_gshadow/rule.yml           |   1 +
 .../file_owner_etc_shells/rule.yml            |   1 +
 .../file_permissions_etc_gshadow/rule.yml     |   1 +
 .../file_permissions_etc_shells/rule.yml      |   1 +
 .../directory_groupowner_etc_sysctld/rule.yml |   1 +
 .../directory_owner_etc_sysctld/rule.yml      |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_ownership_binary_dirs/rule.yml       |   1 +
 .../file_permissions_binary_dirs/rule.yml     |   1 +
 .../sysctl_fs_protected_hardlinks/rule.yml    |   1 +
 .../sysctl_fs_protected_symlinks/rule.yml     |   1 +
 .../mount_option_boot_noexec/rule.yml         |   2 +-
 .../mount_option_boot_nosuid/rule.yml         |   1 +
 .../mount_option_home_noexec/rule.yml         |   1 +
 .../mount_option_home_nosuid/rule.yml         |   1 +
 .../rule.yml                                  |   1 +
 .../mount_option_opt_nosuid/rule.yml          |   1 +
 .../mount_option_srv_nosuid/rule.yml          |   1 +
 .../mount_option_tmp_nosuid/rule.yml          |   1 +
 .../mount_option_var_log_noexec/rule.yml      |   1 +
 .../mount_option_var_log_nosuid/rule.yml      |   1 +
 .../mount_option_var_noexec/rule.yml          |   1 +
 .../mount_option_var_nosuid/rule.yml          |   1 +
 .../mount_option_var_tmp_noexec/rule.yml      |   1 +
 .../mount_option_var_tmp_nosuid/rule.yml      |   1 +
 .../sysctl_kernel_kptr_restrict/rule.yml      |   1 +
 .../sysctl_kernel_modules_disabled/rule.yml   |   1 +
 .../sysctl_kernel_panic_on_oops/rule.yml      |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../sysctl_kernel_pid_max/rule.yml            |   1 +
 .../restrictions/sysctl_kernel_sysrq/rule.yml |   1 +
 .../sysctl_vm_mmap_min_addr/rule.yml          |   1 +
 .../directory_groupowner_etc_selinux/rule.yml |   1 +
 .../directory_owner_etc_selinux/rule.yml      |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_owner_etc_sestatus_conf/rule.yml     |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../package_setroubleshoot_removed/rule.yml   |   1 +
 .../sebool_deny_execmem/rule.yml              |   1 +
 .../sebool_polyinstantiation_enabled/rule.yml |   1 +
 .../sebool_ssh_sysadm_login/rule.yml          |   1 +
 .../partition_for_boot/rule.yml               |   2 +-
 .../partition_for_home/rule.yml               |   1 +
 .../partition_for_opt/rule.yml                |   1 +
 .../partition_for_srv/rule.yml                |   1 +
 .../partition_for_usr/rule.yml                |   2 +-
 .../partition_for_var/rule.yml                |   1 +
 .../partition_for_var_log/rule.yml            |   1 +
 .../partition_for_var_tmp/rule.yml            |   1 +
 .../systemd_tmp_mount_enabled/rule.yml        |   1 +
 .../aide/aide_scan_notification/rule.yml      |   1 +
 .../aide/aide_verify_acls/rule.yml            |   1 +
 .../aide/aide_verify_ext_attributes/rule.yml  |   1 +
 .../system/software/prefer_64bit_os/rule.yml  |   1 +
 .../rule.yml                                  |   1 +
 .../directory_owner_etc_sudoersd/rule.yml     |   1 +
 .../rule.yml                                  |   1 +
 .../sudo/file_groupowner_etc_sudoers/rule.yml |   1 +
 .../sudo/file_owner_etc_sudoers/rule.yml      |   1 +
 .../file_permissions_etc_sudoers/rule.yml     |   1 +
 .../software/sudo/sudo_add_env_reset/rule.yml |   2 +-
 .../sudo/sudo_add_ignore_dot/rule.yml         |   2 +-
 .../software/sudo/sudo_add_noexec/rule.yml    |   1 +
 .../sudo/sudo_add_requiretty/rule.yml         |   1 +
 .../software/sudo/sudo_add_umask/rule.yml     |   2 +-
 .../sudo/sudo_dedicated_group/rule.yml        |   1 +
 .../sudoers_explicit_command_args/rule.yml    |   1 +
 .../sudo/sudoers_no_command_negation/rule.yml |   1 +
 .../sudo/sudoers_no_root_target/rule.yml      |   1 +
 shared/references/cce-sle16-avail.txt         | 227 ------------------
 228 files changed, 227 insertions(+), 235 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml
index 8664f8c4bc7d..6d3821a97db7 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-89822-1
     cce@sle12: CCE-83219-6
     cce@sle15: CCE-91250-1
+    cce@sle16: CCE-96470-0
     cce@slmicro5: CCE-93655-9
     cce@slmicro6: CCE-94636-8
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
index 7baee897f2ee..efef98acc465 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
@@ -53,6 +53,7 @@ identifiers:
     cce@rhel10: CCE-88170-6
     cce@sle12: CCE-91611-4
     cce@sle15: CCE-91251-9
+    cce@sle16: CCE-96363-7
 
 references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
index be642d92f573..6b2f502687d1 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-90738-6
     cce@sle12: CCE-92258-3
     cce@sle15: CCE-85744-1
+    cce@sle16: CCE-96174-8
     cce@slmicro5: CCE-93612-0
     cce@slmicro6: CCE-94650-9
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index c4a37ca44434..4d321ba3a10a 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-86727-5
     cce@sle12: CCE-83207-1
     cce@sle15: CCE-85591-6
+    cce@sle16: CCE-95909-8
     cce@slmicro5: CCE-93615-3
     cce@slmicro6: CCE-94616-0
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
index 288f0d033b4b..4ccc58df4968 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
@@ -34,6 +34,7 @@ identifiers:
     cce@rhel10: CCE-89893-2
     cce@sle12: CCE-92257-5
     cce@sle15: CCE-85731-8
+    cce@sle16: CCE-96256-3
     cce@slmicro5: CCE-93614-6
     cce@slmicro6: CCE-94652-5
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
index c2c798c0c6e7..40f76e0fcbea 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-88804-0
     cce@sle12: CCE-92256-7
     cce@sle15: CCE-85732-6
+    cce@sle16: CCE-96358-7
     cce@slmicro5: CCE-93613-8
     cce@slmicro6: CCE-94651-7
 
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
index da2b9e7fd6f6..721e16e03d13 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87937-9
     cce@sle12: CCE-83031-5
     cce@sle15: CCE-85605-4
+    cce@sle16: CCE-95842-1
     cce@slmicro5: CCE-93678-1
     cce@slmicro6: CCE-94656-6
 
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml
index 28c845c74a92..c58abf32c154 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-89285-1
     cce@sle12: CCE-92394-6
     cce@sle15: CCE-92526-3
+    cce@sle16: CCE-96189-6
     cce@slmicro5: CCE-93908-2
 
 references:
diff --git a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml
index 683af7223c1f..6fb1a9fea13f 100644
--- a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml
+++ b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86379-5
     cce@rhel9: CCE-86380-3
     cce@rhel10: CCE-88848-7
+    cce@sle16: CCE-96618-4
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/chrony.keys", owner="root") }}}'
 
diff --git a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml
index 94d5ed71807b..01c82c5f51a1 100644
--- a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml
+++ b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86383-7
     cce@rhel9: CCE-86384-5
     cce@rhel10: CCE-88155-7
+    cce@sle16: CCE-96085-6
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/chrony.keys", perms="0640") }}}'
 
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
index f0ea9c5cf13d..59f8ac5c2f4f 100644
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-86992-5
     cce@sle12: CCE-92276-5
     cce@sle15: CCE-91392-1
+    cce@sle16: CCE-96595-4
     cce@slmicro5: CCE-93889-4
 
 references:
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
index 755283fde798..fd5b56034bd8 100644
--- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-86126-0
     cce@rhel9: CCE-86127-8
     cce@rhel10: CCE-90288-2
+    cce@sle16: CCE-96366-0
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*_key", group="root") }}}'
 
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
index d25a28e32dc2..3e235d9d6e8e 100644
--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86133-6
     cce@rhel9: CCE-86136-9
     cce@rhel10: CCE-90469-8
+    cce@sle16: CCE-96361-1
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*.pub", group="root") }}}'
 
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
index 4fefa1a5a591..e173d5b5515f 100644
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-89829-6
     cce@sle12: CCE-92277-3
     cce@sle15: CCE-91393-9
+    cce@sle16: CCE-96194-6
     cce@slmicro5: CCE-93888-6
 
 references:
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
index ccb71fb9ae85..8bae6479baf1 100644
--- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel8: CCE-86118-7
     cce@rhel9: CCE-86119-5
     cce@rhel10: CCE-90624-8
+    cce@sle16: CCE-95879-3
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*_key", owner="root") }}}'
 
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
index 4239d6724a9b..0e77032acb79 100644
--- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86129-4
     cce@rhel9: CCE-86130-2
     cce@rhel10: CCE-87297-8
+    cce@sle16: CCE-95980-9
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*.pub", owner="root") }}}'
 
diff --git a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
index bcb5357c339f..d59ffbd19035 100644
--- a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
+++ b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel8: CCE-82444-1
     cce@rhel9: CCE-86083-3
     cce@rhel10: CCE-88372-8
+    cce@sle16: CCE-96157-3
 
 references:
     cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml
index c3ac65d29cb5..aca8c868e2bd 100644
--- a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml
+++ b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel8: CCE-82440-9
     cce@rhel9: CCE-86088-2
     cce@rhel10: CCE-87447-9
+    cce@sle16: CCE-95787-8
 
 platform: system_with_kernel and package[sssd]
 
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
index f994c2d74b86..aaec9121386b 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-84062-9
     cce@rhel9: CCE-86081-7
     cce@rhel10: CCE-87985-8
+    cce@sle16: CCE-96327-2
 
 references:
     nist: SC-12(3),CM-6(a)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
index 07df8396e911..5e939e548004 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel8: CCE-82437-5
     cce@rhel9: CCE-86082-5
     cce@rhel10: CCE-87817-3
+    cce@sle16: CCE-96464-3
 
 references:
     cis-csc: 11,12,14,15,3,8,9
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
index adc81468a3ab..2f481f735f4f 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel8: CCE-82446-6
     cce@rhel9: CCE-86087-4
     cce@rhel10: CCE-90093-6
+    cce@sle16: CCE-96039-3
 
 references:
     cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml
index 2c6f3d6d375c..da5b0d596ce0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml
@@ -22,7 +22,7 @@ identifiers:
   cce@rhel10: CCE-90739-4
   cce@sle12: CCE-91505-8
   cce@sle15: CCE-91196-6
-
+  cce@sle16: CCE-96060-9
 
 ocil_clause: |-
     pam_namespace.so is not required or is commented out
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
index 6ddeca87203b..c2b84d63960f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83173-5
     cce@sle15: CCE-91398-8
+    cce@sle16: CCE-95993-2
     cce@slmicro5: CCE-94082-5
     cce@slmicro6: CCE-94641-8
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
index b8086a960a02..06794ce968d2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83169-3
     cce@sle15: CCE-85574-2
+    cce@sle16: CCE-96246-4
     cce@slmicro5: CCE-93767-2
     cce@slmicro6: CCE-94701-0
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml
index 780f603045c1..f480c5d0113f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83166-9
     cce@sle15: CCE-85675-7
+    cce@sle16: CCE-96294-4
     cce@slmicro5: CCE-93762-3
     cce@slmicro6: CCE-94637-6
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml
index f1bae24320ee..6c728f535085 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-90508-3
     cce@sle12: CCE-83171-9
     cce@sle15: CCE-85567-6
+    cce@sle16: CCE-95736-5
     cce@slmicro5: CCE-93682-3
     cce@slmicro6: CCE-94660-8
 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 03693d6cf2e2..0845bd49d442 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-87452-9
     cce@sle12: CCE-83257-6
     cce@sle15: CCE-91168-5
+    cce@sle16: CCE-95762-1
 
 references:
     cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml
index 97714adfda04..2cfd1a5396f5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-87667-2
     cce@rhel9: CCE-87668-0
     cce@rhel10: CCE-88296-9
+    cce@sle16: CCE-96252-2
 
 ocil_clause: 'any results are returned that are not associated with a system account'
 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
index 24cfaa9eddcb..7a93cacce005 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
@@ -22,6 +22,7 @@ identifiers:
   cce@rhel10: CCE-88705-9
   cce@sle12: CCE-91506-6
   cce@sle15: CCE-91197-4
+  cce@sle16: CCE-95788-6
 
 ocil_clause: is not configured
 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
index c58ada6743ce..276e58a84c72 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
@@ -22,6 +22,7 @@ identifiers:
   cce@rhel10: CCE-88424-7
   cce@sle12: CCE-91507-4
   cce@sle15: CCE-91198-2
+  cce@sle16: CCE-96428-8
 
 ocil_clause: is not configured
 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
index ef74d0ecb3c2..3605f82340c7 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-89225-7
     cce@sle12: CCE-92295-5
     cce@sle15: CCE-91408-5
+    cce@sle16: CCE-96569-9
 
 references:
     cis@sle12: 6.2.8
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
index 203e1e8eabc8..2713d8bc60bc 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-86981-8
     cce@sle12: CCE-92296-3
     cce@sle15: CCE-91409-3
+    cce@sle16: CCE-96227-4
 
 references:
     cis@sle12: 6.2.8
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
index 4ddd6fdbecc9..d6a764c59f60 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87195-4
     cce@sle12: CCE-92292-2
     cce@sle15: CCE-91405-1
+    cce@sle16: CCE-96340-5
 
 references:
     cis@sle12: 6.2.7
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
index 69e726080d45..9c3738271c36 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-88043-5
     cce@sle12: CCE-92293-0
     cce@sle15: CCE-91406-9
+    cce@sle16: CCE-96099-7
 
 references:
     cis@sle12: 6.2.7
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml
index 630e46097f9e..df1cf7b7967a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-87460-2
     cce@sle12: CCE-92290-6
     cce@sle15: CCE-91403-6
+    cce@sle16: CCE-96668-9
     cce@slmicro5: CCE-94028-8
 
 references:
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
index d945e84c2b55..46ddf596ed6e 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-87771-2
     cce@sle12: CCE-83097-6
     cce@sle15: CCE-85630-2
+    cce@sle16: CCE-96448-6
     cce@slmicro5: CCE-93749-0
     cce@slmicro6: CCE-95059-2 
 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 8d3ae79e0aae..d62e681a65e2 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-88580-6
     cce@sle12: CCE-91530-6
     cce@sle15: CCE-91215-4
+    cce@sle16: CCE-95724-1
     cce@slmicro5: CCE-94023-9
 
 references:
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 7e9fd1b6dcf4..2169d4fa5f9c 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-89314-9
     cce@sle12: CCE-83052-1
     cce@sle15: CCE-85659-1
+    cce@sle16: CCE-96038-5
     cce@slmicro5: CCE-93753-2
     cce@slmicro6: CCE-95089-9
 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
index 09900441660f..93adfed8d28c 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-87651-6
     cce@sle12: CCE-91531-4
     cce@sle15: CCE-91216-2
+    cce@sle16: CCE-96140-9
     cce@slmicro5: CCE-94024-7
 
 references:
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index 41ee2618721c..e4796100e88f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -19,7 +19,7 @@ identifiers:
     cce@rhel10: CCE-87932-0
     cce@sle12: CCE-91532-2
     cce@sle15: CCE-91217-0
-
+    cce@sle16: CCE-96649-9
 
 ocil_clause: 'I/OMMU is not activated'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
index 8776d5bf3287..e457bb00cce3 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel8: CCE-88123-5
     cce@rhel9: CCE-89123-4
     cce@rhel10: CCE-86521-2
+    cce@sle16: CCE-96540-0
 
 ocil_clause: 'l1tf mitigations are not configured appropriately'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
index b9d0db90b0f8..35cca812501a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel8: CCE-87098-0
     cce@rhel9: CCE-88098-9
     cce@rhel10: CCE-87067-5
+    cce@sle16: CCE-95847-0
 
 ocil_clause: 'MCE tolerance is not set to zero'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index 5ef143096710..659ce0038ea1 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-87345-5
     cce@rhel9: CCE-88345-4
     cce@rhel10: CCE-89372-7
+    cce@sle16: CCE-95742-3
 
 ocil_clause: 'the kernel is configured to disable SMAP'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
index ed4f2ce3dfc1..1448e85596f0 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel8: CCE-89567-2
     cce@rhel9: CCE-90567-9
     cce@rhel10: CCE-90519-0
+    cce@sle16: CCE-95794-4
 
 ocil_clause: 'trust on hardware random number generator is not configured appropriately'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
index bc977ab55fac..4fff9eee7baf 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel8: CCE-86777-0
     cce@rhel9: CCE-87770-4
     cce@rhel10: CCE-89884-1
+    cce@sle16: CCE-95733-2
 
 ocil_clause: 'merging of slabs with similar size is enabled'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
index 67870630e885..608da7e8a0a7 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
@@ -33,6 +33,7 @@ identifiers:
     cce@rhel8: CCE-89234-9
     cce@rhel9: CCE-90234-6
     cce@rhel10: CCE-89300-8
+    cce@sle16: CCE-95929-6
 
 ocil_clause: 'SSB is not configured appropriately'
 
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
index f85ec95dda05..e2d216c22c60 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-85915-7
     cce@rhel9: CCE-86696-2
     cce@rhel10: CCE-88090-6
+    cce@sle16: CCE-96462-7
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
index b8886be9fb7b..d58624623dbb 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-86012-2
     cce@rhel9: CCE-86013-0
     cce@rhel10: CCE-87222-6
+    cce@sle16: CCE-96609-3
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
index 3ee7b3854c55..d2432647b3d0 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-85913-2
     cce@rhel9: CCE-86695-4
     cce@rhel10: CCE-89243-0
+    cce@sle16: CCE-96057-5
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
index 89f771cab2b7..9587955025d3 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-86021-3
     cce@rhel9: CCE-86022-1
     cce@rhel10: CCE-89217-4
+    cce@sle16: CCE-96438-7
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index a4a7abb81ba4..bc9267378c97 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel8: CCE-85912-4
     cce@rhel9: CCE-85925-6
     cce@rhel10: CCE-88815-6
+    cce@sle16: CCE-96129-2
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
index 29b2d1b53306..274b9f55651f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel8: CCE-86028-8
     cce@rhel9: CCE-86029-6
     cce@rhel10: CCE-90297-3
+    cce@sle16: CCE-96025-2
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml
index 475566370679..e8783af728ce 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-86778-8
     cce@rhel9: CCE-86779-6
     cce@rhel10: CCE-89223-2
+    cce@sle16: CCE-95814-0
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml
index 212d9ef32b80..4788e37e4876 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-87766-2
     cce@rhel9: CCE-87767-0
     cce@rhel10: CCE-87210-1
+    cce@sle16: CCE-96265-4
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml
index a92d750936c0..6c11fa7bba27 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-86095-7
     cce@rhel9: CCE-86096-5
     cce@rhel10: CCE-89980-7
+    cce@sle16: CCE-96106-0
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml
index 22af2d7de31d..5d112e988cae 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel8: CCE-88962-6
     cce@rhel9: CCE-88963-4
     cce@rhel10: CCE-90053-0
+    cce@sle16: CCE-95981-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml
index ff138943aedf..259cfa6521a6 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-87256-4
     cce@rhel9: CCE-87257-2
     cce@rhel10: CCE-88353-8
+    cce@sle16: CCE-96692-9
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml
index 9751b1e43b51..7e21594b0534 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel8: CCE-86656-6
     cce@rhel9: CCE-86657-4
     cce@rhel10: CCE-88628-3
+    cce@sle16: CCE-96017-9
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml
index c325f6265d8f..7170b89ea250 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-88033-6
     cce@rhel9: CCE-89033-5
     cce@rhel10: CCE-90684-2
+    cce@sle16: CCE-96629-1
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml
index 8b43c839bf66..3566c6a9d7af 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-86986-7
     cce@rhel9: CCE-86987-5
     cce@rhel10: CCE-86739-0
+    cce@sle16: CCE-96574-9
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml
index 17c0e1980733..ee4a6269a263 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-86814-1
     cce@rhel9: CCE-86815-8
     cce@rhel10: CCE-89355-2
+    cce@sle16: CCE-96344-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml
index 8d27a5881e70..466899913901 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-87148-3
     cce@rhel9: CCE-87149-1
     cce@rhel10: CCE-89292-7
+    cce@sle16: CCE-96359-5
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml
index e9f2443a603b..fad386a0619d 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel8: CCE-88160-7
     cce@rhel9: CCE-88161-5
     cce@rhel10: CCE-90330-2
+    cce@sle16: CCE-96450-2
 
 platform: x86_64_arch or aarch64_arch
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml
index 16100ff20e37..57f5fd0804cd 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-86947-9
     cce@rhel9: CCE-86948-7
     cce@rhel10: CCE-87428-9
+    cce@sle16: CCE-96408-0
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml
index 9e05dd5b022c..ae1341bee709 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-87608-6
     cce@rhel9: CCE-87609-4
     cce@rhel10: CCE-87786-0
+    cce@sle16: CCE-95950-2
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml
index 60d176410d84..42d615759ab3 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-88746-3
     cce@rhel9: CCE-88747-1
     cce@rhel10: CCE-87905-6
+    cce@sle16: CCE-96396-7
 
 platform: x86_64_arch
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml
index c7ba5d36f3cb..25c384c9b817 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-87488-3
     cce@rhel9: CCE-87489-1
     cce@rhel10: CCE-89414-7
+    cce@sle16: CCE-95737-3
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml
index 0662aab9b4d3..0c143f0929db 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-87925-4
     cce@rhel9: CCE-87926-2
     cce@rhel10: CCE-89570-6
+    cce@sle16: CCE-95831-4
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml
index 4f1bea71d00a..a23af42481e2 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-89378-4
     cce@rhel9: CCE-89379-2
     cce@rhel10: CCE-86836-4
+    cce@sle16: CCE-96615-0
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml
index 37e9f12e17db..dfe5a018fb5d 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-89615-9
     cce@rhel9: CCE-89616-7
     cce@rhel10: CCE-86520-4
+    cce@sle16: CCE-95955-1
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml
index 208327b194e7..f430259f7ef7 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-89459-2
     cce@rhel9: CCE-89460-0
     cce@rhel10: CCE-89203-4
+    cce@sle16: CCE-95719-1
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml
index f05c876e20ce..3786b5bd0ac4 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-89843-7
     cce@rhel9: CCE-89844-5
     cce@rhel10: CCE-87400-8
+    cce@sle16: CCE-96452-8
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml
index cf1c3d8e6f0e..edd1c1b88e8e 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel8: CCE-90000-1
     cce@rhel9: CCE-89999-7
     cce@rhel10: CCE-90444-1
+    cce@sle16: CCE-96015-3
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml
index 723b7653d364..3fc61093df5d 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-89692-8
     cce@rhel9: CCE-89691-0
     cce@rhel10: CCE-87565-8
+    cce@sle16: CCE-96566-5
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml
index 89e9f627a722..8b4577861b6f 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-88574-9
     cce@rhel9: CCE-88575-6
     cce@rhel10: CCE-87844-7
+    cce@sle16: CCE-96130-0
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml
index adf28b0b2722..4e7465236c53 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-88808-1
     cce@rhel9: CCE-88809-9
     cce@rhel10: CCE-90278-3
+    cce@sle16: CCE-96575-6
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml
index 08624fe8a169..8d18465fdc86 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-88591-3
     cce@rhel9: CCE-88592-1
     cce@rhel10: CCE-88464-3
+    cce@sle16: CCE-96529-3
 
 platform: x86_64_arch
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml
index f712157a12ec..a99c8997a2e4 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-86176-5
     cce@rhel9: CCE-86177-3
     cce@rhel10: CCE-89985-6
+    cce@sle16: CCE-95726-6
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml
index 32d45b4ca2fa..c7b5e2809366 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-86349-8
     cce@rhel9: CCE-86350-6
     cce@rhel10: CCE-86964-4
+    cce@sle16: CCE-96235-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml
index a43931553372..602e57da57fd 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-87105-3
     cce@rhel9: CCE-87106-1
     cce@rhel10: CCE-88511-1
+    cce@sle16: CCE-96083-1
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml
index 5c1576aa8a46..66f6764d5bf3 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-88318-1
     cce@rhel9: CCE-88319-9
     cce@rhel10: CCE-87989-0
+    cce@sle16: CCE-96510-3
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml
index 827c666e449e..9990da02bb70 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-88440-3
     cce@rhel9: CCE-88441-1
     cce@rhel10: CCE-88383-5
+    cce@sle16: CCE-95989-0
 
 platform: x86_64_arch
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml
index 261cd8a6ce80..059fe0c80fbc 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-87494-1
     cce@rhel9: CCE-87495-8
     cce@rhel10: CCE-89562-3
+    cce@sle16: CCE-96519-4
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml
index 201464ba05f5..b9d32b907bc0 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel9: CCE-86451-2
     cce@rhel10: CCE-87403-2
     cce@sle15: CCE-92567-7
+    cce@sle16: CCE-95777-9
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml
index fe3a38d84372..4c8a428075ee 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel9: CCE-86491-8
     cce@rhel10: CCE-89407-1
     cce@sle15: CCE-92568-5
+    cce@sle16: CCE-96560-8
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml
index f60cbb144a9e..98d382eeffe0 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel9: CCE-86573-3
     cce@rhel10: CCE-87679-7
     cce@sle15: CCE-92570-1
+    cce@sle16: CCE-96259-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml
index 707e3b575b47..4ac0bed31b1c 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-87339-8
     cce@rhel9: CCE-87340-6
     cce@rhel10: CCE-89137-4
+    cce@sle16: CCE-96445-2
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml
index 781acca096a1..ad631811de4a 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel9: CCE-86885-1
     cce@rhel10: CCE-89825-4
     cce@sle15: CCE-92571-9
+    cce@sle16: CCE-95918-9
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml
index 8f0d39a03642..607e85f3da64 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel9: CCE-86717-6
     cce@rhel10: CCE-87793-6
     cce@sle15: CCE-92572-7
+    cce@sle16: CCE-96626-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml
index 7a15122c2f8c..e881ea27183f 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-88275-3
     cce@rhel9: CCE-88276-1
     cce@rhel10: CCE-87071-7
+    cce@sle16: CCE-95987-4
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml
index 6388d834e296..905f36091301 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel8: CCE-87330-7
     cce@rhel9: CCE-87331-5
     cce@rhel10: CCE-89322-2
+    cce@sle16: CCE-95924-7
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml
index 742d5d6a5315..3bde406e4f86 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel8: CCE-89179-6
     cce@rhel9: CCE-89180-4
     cce@rhel10: CCE-90608-1
+    cce@sle16: CCE-95872-8
 
 platform: aarch64_arch
 
diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml
index b4519fe5d52e..afb1739706db 100644
--- a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml
+++ b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel8: CCE-87883-5
     cce@rhel9: CCE-87884-3
     cce@rhel10: CCE-88133-4
+    cce@sle16: CCE-96298-5
 
 ocil_clause: 'the kernel was not built with the required value'
 
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
index 1e1b45b98055..3fbda225bc36 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-88779-4
     cce@sle12: CCE-91511-6
     cce@sle15: CCE-85850-6
+    cce@sle16: CCE-96682-0
     cce@slmicro5: CCE-94014-8
 
 references:
diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
index 3bf6d1eaf6f5..47a7de4f9934 100644
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-89106-9
     cce@sle12: CCE-91512-4
     cce@sle15: CCE-91199-0
+    cce@sle16: CCE-95816-5
 
 references:
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
index 7e245593bc8b..198927dcd228 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-86592-3
     cce@sle12: CCE-91513-2
     cce@sle15: CCE-91200-6
+    cce@sle16: CCE-96405-6
 
 references:
     nist: AU-9(3),CM-6(a)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
index c9a7555c5e27..ff8c4ee91c3c 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-88456-9
     cce@sle12: CCE-91514-0
     cce@sle15: CCE-91201-4
+    cce@sle16: CCE-96407-2
 
 references:
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml
index 00c3bccff8e8..817074dc64f4 100644
--- a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86439-7
     cce@rhel10: CCE-88800-8
     cce@sle15: CCE-92499-3
+    cce@sle16: CCE-96533-5
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.d", group="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml
index ee3fd8aacb67..bbee4ba1f94c 100644
--- a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86303-5
     cce@rhel10: CCE-87636-7
     cce@sle15: CCE-92508-1
+    cce@sle16: CCE-96161-5
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.d", owner="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml
index 3ac5d4a863ad..9caeafde3ecb 100644
--- a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86306-8
     cce@rhel10: CCE-88730-7
     cce@sle15: CCE-92517-2
+    cce@sle16: CCE-96356-1
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.d", perms="0700") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml
index 6ded8f5d59e0..88e0642ac261 100644
--- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86387-8
     cce@rhel10: CCE-86941-2
     cce@sle15: CCE-92535-4
+    cce@sle16: CCE-96555-8
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.conf", group="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml
index 3335f4d11050..121c920acf70 100644
--- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86398-5
     cce@rhel10: CCE-89956-7
     cce@sle15: CCE-92537-0
+    cce@sle16: CCE-96394-2
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.secrets", group="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml
index d34d45083769..2c3cca80ac6b 100644
--- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86389-4
     cce@rhel9: CCE-86391-0
     cce@rhel10: CCE-87602-9
+    cce@sle16: CCE-96255-5
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.conf", owner="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml
index e852dc2af01e..f16a7747691f 100644
--- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86400-9
     cce@rhel9: CCE-86401-7
     cce@rhel10: CCE-89330-5
+    cce@sle16: CCE-96064-1
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.secrets", owner="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml
index ad04bc9de2ac..a9112623365e 100644
--- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86393-6
     cce@rhel9: CCE-86395-1
     cce@rhel10: CCE-86443-9
+    cce@sle16: CCE-95807-4
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.conf", perms="0644") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml
index 41e2d7994ad3..cae7c2174d21 100644
--- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86410-8
     cce@rhel9: CCE-86411-6
     cce@rhel10: CCE-89450-1
+    cce@sle16: CCE-96190-4
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.secrets", perms="0644") }}}'
 
diff --git a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml
index 850de8d57516..fd61baff835a 100644
--- a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86426-4
     cce@rhel9: CCE-86427-2
     cce@rhel10: CCE-86460-3
+    cce@sle16: CCE-95799-3
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/iptables", group="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml
index 73bee5710314..61e65cf453d5 100644
--- a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86429-8
     cce@rhel9: CCE-86430-6
     cce@rhel10: CCE-89981-5
+    cce@sle16: CCE-96146-6
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/iptables", owner="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml
index fe8bfe7c1de6..9ca60ed074a1 100644
--- a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86435-5
     cce@rhel9: CCE-86436-3
     cce@rhel10: CCE-86577-4
+    cce@sle16: CCE-96612-7
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/iptables", perms="0700") }}}'
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
index 3b7fa656ccf9..d6c3e91138fa 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-90653-7
     cce@sle12: CCE-91517-3
     cce@sle15: CCE-91202-2
+    cce@sle16: CCE-96633-3
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
index b1e75aa592d6..449358c21675 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88717-4
     cce@sle12: CCE-91518-1
     cce@sle15: CCE-91203-0
+    cce@sle16: CCE-95919-7
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
index 82d235cf30bf..7ba89e5d8ff1 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-90302-1
     cce@sle12: CCE-91519-9
     cce@sle15: CCE-91204-8
+    cce@sle16: CCE-96383-5
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
index 551d15a411a9..027e308f53db 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel10: CCE-90083-7
     cce@sle12: CCE-83246-9
     cce@sle15: CCE-85708-6
+    cce@sle16: CCE-96632-5
     cce@slmicro5: CCE-93635-1
     cce@slmicro6: CCE-95079-0 
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index d5356b7436e0..a96d1af2a24b 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90450-8
     cce@sle12: CCE-83078-6
     cce@sle15: CCE-85649-2
+    cce@sle16: CCE-96132-6
     cce@slmicro5: CCE-93630-2
     cce@slmicro6: CCE-95074-1 
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
index 66431fe69b3e..413d120c2f30 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel10: CCE-88552-5
     cce@sle12: CCE-91521-5
     cce@sle15: CCE-91206-3
+    cce@sle16: CCE-96622-6
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.max_addresses", value="1") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
index c58038f96902..b9e6f37fbc6c 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-89461-8
     cce@sle12: CCE-91522-3
     cce@sle15: CCE-91207-1
+    cce@sle16: CCE-96065-8
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.router_solicitations", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
index 72703a4ddd80..eed209869204 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88613-5
     cce@sle12: CCE-91523-1
     cce@sle15: CCE-91208-9
+    cce@sle16: CCE-96411-4
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
index b44a8ec176c9..f426bfda0309 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88012-0
     cce@sle12: CCE-91524-9
     cce@sle15: CCE-91209-7
+    cce@sle16: CCE-96557-4
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
index 24855b34558d..8be051de79ce 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-90749-3
     cce@sle12: CCE-91525-6
     cce@sle15: CCE-91210-5
+    cce@sle16: CCE-96589-7
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
index 7db2187f43ec..8f8f0be40d5b 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel10: CCE-89486-5
     cce@sle12: CCE-83223-8
     cce@sle15: CCE-85722-7
+    cce@sle16: CCE-96192-0
     cce@slmicro5: CCE-93636-9
     cce@slmicro6: CCE-95080-8 
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
index 3c5b873a4c98..26697c15d21c 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-86607-9
     cce@sle12: CCE-91526-4
     cce@sle15: CCE-91211-3
+    cce@sle16: CCE-96177-1
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.autoconf", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
index 1ca02e21ab20..60f370531c26 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel10: CCE-89273-7
     cce@sle12: CCE-91527-2
     cce@sle15: CCE-91212-1
+    cce@sle16: CCE-95727-4
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.max_addresses", value="1") }}}
 
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
index a6fd5ec63f57..5ecba12f7eb4 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-89658-9
     cce@sle12: CCE-91528-0
     cce@sle15: CCE-91213-9
+    cce@sle16: CCE-96390-0
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.router_solicitations", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml
index 5091848972c4..cde2ea069c6a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-88789-3
     cce@rhel9: CCE-89789-2
     cce@rhel10: CCE-86895-0
+    cce@sle16: CCE-96055-9
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_local", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
index fb26eb41907a..654a99a37f0d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-90409-4
     cce@sle12: CCE-83090-1
     cce@sle15: CCE-85651-8
+    cce@sle16: CCE-96527-7
     cce@slmicro5: CCE-93633-6
     cce@slmicro6: CCE-95077-4 
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index 5fd871ab0fea..9bd302a891fb 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90165-2
     cce@sle12: CCE-83064-6
     cce@sle15: CCE-85648-4
+    cce@sle16: CCE-96355-3
     cce@slmicro5: CCE-93629-4
     cce@slmicro6: CCE-95073-3 
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml
index fc747f705c48..ac9db557bdcd 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel9: CCE-89555-7
     cce@rhel10: CCE-89431-1
     cce@sle15: CCE-92609-7
+    cce@sle16: CCE-96549-1
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_filter_value")) }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml
index 916872b8ffe0..9302d69a4d77 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel9: CCE-89889-0
     cce@rhel10: CCE-87433-9
     cce@sle15: CCE-92610-5
+    cce@sle16: CCE-96367-8
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_ignore", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_ignore")) }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml
index cd544692838a..3c2723ad9125 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel9: CCE-89023-6
     cce@rhel10: CCE-87566-6
     cce@sle15: CCE-92611-3
+    cce@sle16: CCE-96513-7
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.route_localnet", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml
index 311db0b56990..8a1d5353ccef 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml
@@ -14,6 +14,7 @@ identifiers:
     cce@rhel8: CCE-88333-0
     cce@rhel9: CCE-89333-9
     cce@rhel10: CCE-87897-5
+    cce@sle16: CCE-95865-2
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.shared_media", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index 81acc33e797e..8658fc9a8c75 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-88071-6
     cce@sle12: CCE-83079-4
     cce@sle15: CCE-85650-0
+    cce@sle16: CCE-96076-5
     cce@slmicro5: CCE-93631-0
     cce@slmicro6: CCE-95075-8 
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
index b57fd00eea2f..332b397304fe 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-87424-8
     cce@sle12: CCE-91534-8
     cce@sle15: CCE-91219-6
+    cce@sle16: CCE-96229-0
     cce@slmicro5: CCE-93989-2
 
 references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
index e93e06ac07ab..d0fcab062731 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-87878-5
     cce@sle12: CCE-91536-3
     cce@sle15: CCE-91221-2
+    cce@sle16: CCE-96196-1
     cce@slmicro5: CCE-93988-4
 
 references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml
index 03b578066423..6b58733b25c2 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml
@@ -14,6 +14,7 @@ identifiers:
     cce@rhel8: CCE-88444-5
     cce@rhel9: CCE-89444-4
     cce@rhel10: CCE-89010-3
+    cce@sle16: CCE-96642-4
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.shared_media", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
index 942c1351b285..8edb7ace3694 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-90347-6
     cce@sle12: CCE-91540-5
     cce@sle15: CCE-91225-3
+    cce@sle16: CCE-96447-8
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
index d6721442dc54..1fe1d752c719 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-86164-1
     cce@sle12: CCE-91538-9
     cce@sle15: CCE-91223-8
+    cce@sle16: CCE-96069-0
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_rfc1337", value="1") }}}
 
diff --git a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml
index 4838427b8bcb..4b0b04bb39b9 100644
--- a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86309-2
     cce@rhel10: CCE-87879-3
     cce@sle15: CCE-92500-8
+    cce@sle16: CCE-96397-5
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/nftables", group="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml
index 14eb51f4a138..d1e8d31f6366 100644
--- a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86313-4
     cce@rhel10: CCE-88672-1
     cce@sle15: CCE-92509-9
+    cce@sle16: CCE-96211-8
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/nftables", owner="root") }}}'
 
diff --git a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml
index a9d01ad9c783..4acab56b2bd9 100644
--- a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86320-9
     cce@rhel10: CCE-88802-4
     cce@sle15: CCE-92521-4
+    cce@sle16: CCE-96496-5
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/nftables", perms="0700") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
index dbaec786e5ec..7e8dfdccc7b4 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-89514-4
     cce@sle12: CCE-91597-5
     cce@sle15: CCE-91239-4
+    cce@sle16: CCE-95897-5
 
 references:
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000138-GPOS-00069
diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml
index 1285c94d87a1..4a300fcd8a49 100644
--- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml
@@ -40,6 +40,7 @@ identifiers:
     cce@rhel10: CCE-89520-1
     cce@sle12: CCE-83244-4
     cce@sle15: CCE-85743-3
+    cce@sle16: CCE-95915-5
     cce@slmicro5: CCE-93702-9
     cce@slmicro6: CCE-94700-2
 
diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
index d3b464811bd9..12dc621b7fde 100644
--- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
@@ -38,6 +38,7 @@ identifiers:
     cce@rhel10: CCE-88203-5
     cce@sle12: CCE-83242-8
     cce@sle15: CCE-85741-7
+    cce@sle16: CCE-96321-5
     cce@slmicro5: CCE-93700-3
     cce@slmicro6: CCE-94698-8
 
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml
index f9a6756eca37..bf123935cac6 100644
--- a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-86362-1
     cce@rhel9: CCE-86363-9
     cce@rhel10: CCE-88558-2
+    cce@sle16: CCE-95756-3
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/crypttab", group="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
index b15ee9a13dd1..c168d31a5c39 100644
--- a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-86583-2
     cce@rhel9: CCE-86584-0
     cce@rhel10: CCE-90164-5
+    cce@sle16: CCE-95738-1
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/System.map*", group="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml
index 7e4dc62c9a3c..750234e46588 100644
--- a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-86365-4
     cce@rhel9: CCE-86366-2
     cce@rhel10: CCE-89519-3
+    cce@sle16: CCE-96640-8
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/crypttab", owner="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
index d10ec7e1ebd4..6a5a019b1605 100644
--- a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-86586-5
     cce@rhel9: CCE-86587-3
     cce@rhel10: CCE-89808-0
+    cce@sle16: CCE-96671-3
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/System.map*", owner="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml
index f3a6e8920bca..d9af9dca12e1 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-86369-6
     cce@rhel9: CCE-86370-4
     cce@rhel10: CCE-88726-5
+    cce@sle16: CCE-95862-9
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/crypttab", perms="0600") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
index 9190b28c74e7..e64a82b43400 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-82892-1
     cce@rhel9: CCE-86581-6
     cce@rhel10: CCE-86786-1
+    cce@sle16: CCE-96220-9
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index ae63ad59d9e2..fb19523d62d2 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-90184-3
     cce@sle12: CCE-91472-1
     cce@sle15: CCE-91175-0
+    cce@sle16: CCE-95910-6
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 9ccab80ce39b..341e375c781e 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-86999-0
     cce@sle12: CCE-91473-9
     cce@sle15: CCE-91174-3
+    cce@sle16: CCE-96423-9
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
index 46e60ad632b0..5fd648c30c3d 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-90043-1
     cce@sle12: CCE-92225-2
     cce@sle15: CCE-91348-3
+    cce@sle16: CCE-95841-3
     cce@slmicro5: CCE-93967-8
 
 references:
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml
index f518cb5cd15d..114ab8dd6b32 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-90434-2
     cce@rhel10: CCE-90020-9
     cce@sle15: CCE-92541-2
+    cce@sle16: CCE-96404-9
 
 references:
     nist: AC-3,MP-2
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
index f49d8842b722..c3d73782a0a8 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel10: CCE-87701-9
     cce@sle12: CCE-91557-9
     cce@sle15: CCE-91230-3
+    cce@sle16: CCE-96275-3
     cce@slmicro5: CCE-93959-5
 
 references:
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml
index 0d0c52baae12..89abfb9b8709 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-90435-9
     cce@rhel10: CCE-89594-6
     cce@sle15: CCE-92547-9
+    cce@sle16: CCE-96138-3
 
 references:
     nist: AC-3,MP-2
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index 49b4c7967b2c..83f8fd8acf6f 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-86975-0
     cce@sle12: CCE-91558-7
     cce@sle15: CCE-91231-1
+    cce@sle16: CCE-96193-8
     cce@slmicro5: CCE-93951-2
 
 references:
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml
index 83701e95cc30..de73d8f1a6ca 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-90432-6
     cce@rhel10: CCE-89912-0
     cce@sle15: CCE-92562-8
+    cce@sle16: CCE-96599-6
 
 references:
     nist: AC-3,MP-2
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml
index fe9ad0c2cb13..4b7a99b4add2 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86325-8
     cce@rhel10: CCE-90122-3
     cce@sle15: CCE-92506-5
+    cce@sle16: CCE-96187-0
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sysctl.d", group="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml
index 4fcf06a18c77..5bd29766509c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86330-8
     cce@rhel10: CCE-87242-4
     cce@sle15: CCE-92513-1
+    cce@sle16: CCE-96370-2
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sysctl.d", owner="root") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml
index 7f93f2ef4dc1..e00b35cee6b9 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86337-3
     cce@rhel10: CCE-89782-7
     cce@sle15: CCE-92527-1
+    cce@sle16: CCE-95827-2
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sysctl.d", perms="0755") }}}'
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
index 37ae549a7174..5b328052ae97 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
@@ -39,6 +39,7 @@ identifiers:
     cce@rhel10: CCE-89800-7
     cce@sle12: CCE-83243-6
     cce@sle15: CCE-85742-5
+    cce@sle16: CCE-96446-0
     cce@slmicro5: CCE-93701-1
     cce@slmicro6: CCE-94699-6
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
index 1b91da3b6535..fade0c0a085e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-89620-9
     cce@sle12: CCE-83241-0
     cce@sle15: CCE-85730-0
+    cce@sle16: CCE-96514-5
     cce@slmicro5: CCE-93699-7
     cce@slmicro6: CCE-94697-0
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
index 4ddad0a17e22..5cd917fc6c08 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-86978-4
     cce@sle12: CCE-83240-2
     cce@sle15: CCE-85729-2
+    cce@sle16: CCE-95994-0
     cce@slmicro5: CCE-93698-9
     cce@slmicro6: CCE-94696-2
 
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
index e80a9af6cd9a..ce10b4d619a7 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-86689-7
     cce@sle12: CCE-91559-5
     cce@sle15: CCE-91252-7
+    cce@sle16: CCE-95822-3
 
 references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
index 9f068896501b..1a88d1d8b782 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-88796-8
     cce@sle12: CCE-91560-3
     cce@sle15: CCE-91253-5
+    cce@sle16: CCE-96456-9
 
 references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
index cbd941664727..773ff170a481 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
@@ -23,7 +23,7 @@ identifiers:
     cce@rhel10: CCE-90334-4
     cce@sle12: CCE-91541-3
     cce@sle15: CCE-91234-5
-
+    cce@sle16: CCE-96582-2
 
 template:
     name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
index b90a2baf6565..6ef99131bf3d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-88881-8
     cce@sle12: CCE-91542-1
     cce@sle15: CCE-91235-2
+    cce@sle16: CCE-96648-1
 
 references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
index 097283478533..912d86cc0b97 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-87810-8
     cce@sle12: CCE-91543-9
     cce@sle15: CCE-91236-0
+    cce@sle16: CCE-96288-6
 
 references:
     nist: CM-6(b)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
index 673295341d39..ccb05ba12ef7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-88987-3
     cce@sle12: CCE-83100-8
     cce@sle15: CCE-85633-6
+    cce@sle16: CCE-95966-8
     cce@slmicro5: CCE-93791-2
     cce@slmicro6: CCE-95062-6
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
index e8bc70b499a5..0b982c79c1c1 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
@@ -33,6 +33,7 @@ identifiers:
     cce@rhel10: CCE-88981-6
     cce@sle12: CCE-91544-7
     cce@sle15: CCE-91237-8
+    cce@sle16: CCE-96023-7
 
 references:
     cis-csc: 11,14,3,9
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
index d5493739a92f..4e9086e97dc2 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-86868-7
     cce@sle12: CCE-91584-3
     cce@sle15: CCE-91270-9
+    cce@sle16: CCE-95940-3
 
 platform: mount[opt]
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
index f5f66509d8af..b196cc82a4a5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90162-9
     cce@sle12: CCE-91585-0
     cce@sle15: CCE-91271-7
+    cce@sle16: CCE-95863-7
 
 platform: mount[srv]
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index 1485f4d8ee99..cf0e126f67e2 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-87318-2
     cce@sle12: CCE-91587-6
     cce@sle15: CCE-91273-3
+    cce@sle16: CCE-96573-1
 
 references:
     cis-csc: 11,13,14,3,8,9
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
index 819040553a9d..e2cbb432ed89 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-89129-1
     cce@sle12: CCE-91588-4
     cce@sle15: CCE-91274-1
+    cce@sle16: CCE-96444-5
 
 references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
index 936812700f4d..5ec43738c51b 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90639-6
     cce@sle12: CCE-91589-2
     cce@sle15: CCE-91275-8
+    cce@sle16: CCE-95774-6
 
 references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
index 1900132c63d8..87808eae8c22 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-90153-8
     cce@sle12: CCE-91590-0
     cce@sle15: CCE-91276-6
+    cce@sle16: CCE-96551-7
 
 platform: mount[var]
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
index 4ecbb408721f..d1a14d993188 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel10: CCE-89496-4
     cce@sle12: CCE-91591-8
     cce@sle15: CCE-91277-4
+    cce@sle16: CCE-95884-3
 
 {{{ complete_ocil_entry_mount_option("/var", "nosuid") }}}
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 5a49a43030a5..cce28561b5c0 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87347-1
     cce@sle12: CCE-91592-6
     cce@sle15: CCE-91278-2
+    cce@sle16: CCE-95723-3
 
 references:
     cis@sle12: 1.1.12
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index dbe30c165901..3b0d2f507d03 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87892-6
     cce@sle12: CCE-91593-4
     cce@sle15: CCE-91279-0
+    cce@sle16: CCE-96199-5
 
 references:
     cis@sle12: 1.1.14
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index c6116f14cf9a..dcd1619f190b 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-88686-1
     cce@sle12: CCE-83125-5
     cce@sle15: CCE-83299-8
+    cce@sle16: CCE-96503-8
     cce@slmicro5: CCE-93627-8
     cce@slmicro6: CCE-94727-5
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index ea7ed7dd56c9..7848282d36d4 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-87060-0
     cce@sle12: CCE-91566-0
     cce@sle15: CCE-91256-8
+    cce@sle16: CCE-96441-1
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml
index 4978ee7b55fa..d5e0ff2d7630 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel8: CCE-87666-4
     cce@rhel9: CCE-88666-3
     cce@rhel10: CCE-88293-6
+    cce@sle16: CCE-96624-2
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.panic_on_oops", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
index 4193087a450b..efa5539867f5 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-87824-9
     cce@sle12: CCE-91567-8
     cce@sle15: CCE-91257-6
+    cce@sle16: CCE-95810-8
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_cpu_time_max_percent", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
index a9cd4ecb8b02..311c2a720ae3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-88924-6
     cce@sle12: CCE-91569-4
     cce@sle15: CCE-91259-2
+    cce@sle16: CCE-96293-6
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_max_sample_rate", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
index 0a3b7150118e..15066db66a1a 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel10: CCE-90142-1
     cce@sle12: CCE-91568-6
     cce@sle15: CCE-91258-4
+    cce@sle16: CCE-96571-5
 
 references:
     nist: AC-6
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
index d4fdaab86b80..d87e5a513942 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-88134-2
     cce@sle12: CCE-91570-2
     cce@sle15: CCE-91260-0
+    cce@sle16: CCE-95760-5
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.pid_max", value="65536") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
index 61cb3a8d4f6c..7a4c299a370b 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-90232-0
     cce@sle12: CCE-91571-0
     cce@sle15: CCE-91261-8
+    cce@sle16: CCE-96062-5
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.sysrq", value="0") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
index 3b247e01b199..581d1200fe48 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-87534-4
     cce@sle12: CCE-91573-6
     cce@sle15: CCE-91263-4
+    cce@sle16: CCE-96371-0
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="vm.mmap_min_addr", value="65536") }}}
 
diff --git a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml
index 96333381c14e..4cf322bb6f65 100644
--- a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml
+++ b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86274-8
     cce@rhel10: CCE-87637-5
     cce@sle15: CCE-92501-6
+    cce@sle16: CCE-96054-2
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/selinux", group="root") }}}'
 
diff --git a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml
index 5f14cf353776..5273edd45640 100644
--- a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml
+++ b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86271-4
     cce@rhel10: CCE-89309-9
     cce@sle15: CCE-92510-7
+    cce@sle16: CCE-96414-8
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/selinux", owner="root") }}}'
 
diff --git a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml
index b2bbcef59795..1428e4d9ff4a 100644
--- a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml
+++ b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86279-7
     cce@rhel10: CCE-87997-3
     cce@sle15: CCE-92524-8
+    cce@sle16: CCE-96570-7
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/selinux", perms="0755") }}}'
 
diff --git a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml
index 73216cabd0aa..96b0d62306f2 100644
--- a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml
+++ b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86288-8
     cce@rhel9: CCE-86289-6
     cce@rhel10: CCE-89741-3
+    cce@sle16: CCE-95848-8
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sestatus.conf", group="root") }}}'
 
diff --git a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml
index ba62bf3c001b..923c2deafc18 100644
--- a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml
+++ b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86285-4
     cce@rhel9: CCE-86286-2
     cce@rhel10: CCE-86503-0
+    cce@sle16: CCE-95806-6
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sestatus.conf", owner="root") }}}'
 
diff --git a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml
index 0ae5fea5b3bb..23c360f25e80 100644
--- a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml
+++ b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86291-2
     cce@rhel9: CCE-86293-8
     cce@rhel10: CCE-90692-5
+    cce@sle16: CCE-95722-5
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sestatus.conf", perms="0644") }}}'
 
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
index c203843bb30c..2578c0675617 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-89365-1
     cce@sle12: CCE-91582-7
     cce@sle15: CCE-91269-1
+    cce@sle16: CCE-96431-2
 
 {{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}}
 
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
index 2e64ff92ed3e..b4d07c4ba6f2 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-89569-8
     cce@sle12: CCE-91580-1
     cce@sle15: CCE-91267-5
+    cce@sle16: CCE-96268-8
 
 {{{ complete_ocil_entry_package(package="setroubleshoot-server") }}}
 
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
index 5948b2d9202c..8c8fd76fa459 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-89902-1
     cce@sle12: CCE-91581-9
     cce@sle15: CCE-91268-3
+    cce@sle16: CCE-96597-0
 
 template:
     name: package_removed
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
index 54e9870d16ed..1c5b8900ad3a 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-87708-4
     cce@sle12: CCE-91575-1
     cce@sle15: CCE-91265-9
+    cce@sle16: CCE-96278-7
 
 {{{ complete_ocil_entry_sebool_var(sebool="deny_execmem") }}}
 
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
index 98f8fb788a78..dc41037d27f1 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-88652-3
     cce@sle12: CCE-91579-3
     cce@sle15: CCE-91238-6
+    cce@sle16: CCE-95753-0
 
 {{{ complete_ocil_entry_sebool_var(sebool="polyinstantiation_enabled") }}}
 
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
index 33e7510ffbae..778bfb653bff 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-90429-2
     cce@sle12: CCE-91574-4
     cce@sle15: CCE-91264-2
+    cce@sle16: CCE-95928-8
 
 {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml
index 01c898effa81..11ea801cb32c 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml
@@ -22,7 +22,7 @@ identifiers:
     cce@rhel10: CCE-90755-0
     cce@sle12: CCE-91484-6
     cce@sle15: CCE-91176-8
-
+    cce@sle16: CCE-96430-4
 
 {{{ complete_ocil_entry_separate_partition(part="/boot") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
index f20cf960ae8e..9ea58be5c905 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-88231-6
     cce@sle12: CCE-83152-9
     cce@sle15: CCE-85639-3
+    cce@sle16: CCE-95729-0
     cce@slmicro5: CCE-93796-1
     cce@slmicro6: CCE-95066-7 
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml
index dbb3529e26d0..077f8b781141 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-90750-1
     cce@sle12: CCE-91485-3
     cce@sle15: CCE-91177-6
+    cce@sle16: CCE-96081-5
 
 {{{ complete_ocil_entry_separate_partition(part="/opt") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
index 871ce4fc85ed..773ee54cce20 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-88936-0
     cce@sle12: CCE-91486-1
     cce@sle15: CCE-91178-4
+    cce@sle16: CCE-95922-1
 
 {{{ complete_ocil_entry_separate_partition(part="/srv") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml
index a91af9b298db..ec9a94703a6b 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml
@@ -21,7 +21,7 @@ identifiers:
     cce@rhel10: CCE-90748-5
     cce@sle12: CCE-91488-7
     cce@sle15: CCE-91180-0
-
+    cce@sle16: CCE-96274-6
 
 {{{ complete_ocil_entry_separate_partition(part="/usr") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
index 98f4a53535fe..0c9ca10087f2 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-89166-3
     cce@sle12: CCE-83153-7
     cce@sle15: CCE-85640-1
+    cce@sle16: CCE-95761-3
     cce@slmicro5: CCE-93797-9
     cce@slmicro6: CCE-95067-5 
 
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
index 267652595db1..4afdabd4c279 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-88355-3
     cce@sle12: CCE-91489-5
     cce@sle15: CCE-91181-8
+    cce@sle16: CCE-95945-2
 
 references:
     cis-csc: 1,12,14,15,16,3,5,6,8
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index c83b50a9f044..80b218b85f76 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-87694-6
     cce@sle12: CCE-91490-3
     cce@sle15: CCE-91182-6
+    cce@sle16: CCE-96245-6
 
 references:
     cis@sle12: 1.1.11
diff --git a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml
index 6f6532637e10..946e387e60c7 100644
--- a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel8: CCE-86890-1
     cce@rhel9: CCE-86891-9
     cce@rhel10: CCE-89797-5
+    cce@sle16: CCE-96195-3
 
 ocil: |-
     {{{ ocil_systemd_mount_enabled("tmp") }}}
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index eb4520986a98..1b959ae04a4a 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-90177-7
     cce@sle12: CCE-83048-9
     cce@sle15: CCE-91214-7
+    cce@sle16: CCE-96460-1
     cce@slmicro5: CCE-93722-7
     cce@slmicro6: CCE-94730-9
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
index 0525db7b3921..6563fe6a637b 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-89640-7
     cce@sle12: CCE-83150-3
     cce@sle15: CCE-85623-7
+    cce@sle16: CCE-96372-8
     cce@slmicro5: CCE-93742-5
     cce@slmicro6: CCE-95052-7 
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index 1f681250134a..35ed5b595891 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-89625-8
     cce@sle12: CCE-83151-1
     cce@sle15: CCE-85624-5
+    cce@sle16: CCE-96620-0
     cce@slmicro5: CCE-93743-3
     cce@slmicro6: CCE-95053-5 
 
diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
index 59cf1d282ec8..ae680e70e632 100644
--- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml
+++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
@@ -21,6 +21,7 @@ identifiers:
   cce@rhel10: CCE-90578-6
   cce@sle12: CCE-91504-1
   cce@sle15: CCE-91195-8
+  cce@sle16: CCE-96208-4
 
 ocil_clause: the installed operating system is 32-bit but the CPU supports operation in 64-bit
 
diff --git a/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml
index 7f1dc1ddb307..ca8efcd5e8b9 100644
--- a/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml
+++ b/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86351-4
     cce@rhel10: CCE-87598-9
     cce@sle15: CCE-92503-2
+    cce@sle16: CCE-96050-0
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sudoers.d", group="root") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml
index 3183986c551a..1a87f6ee8fca 100644
--- a/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml
+++ b/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86357-1
     cce@rhel10: CCE-89589-6
     cce@sle15: CCE-92512-3
+    cce@sle16: CCE-96623-4
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sudoers.d", owner="root") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml
index da1a48a14465..652eef8152eb 100644
--- a/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml
+++ b/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel9: CCE-86360-5
     cce@rhel10: CCE-89200-0
     cce@sle15: CCE-92525-5
+    cce@sle16: CCE-96110-2
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sudoers.d", perms="0750") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml
index cfe3d033707d..a4f8eced4463 100644
--- a/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml
+++ b/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86413-2
     cce@rhel9: CCE-86414-0
     cce@rhel10: CCE-89613-4
+    cce@sle16: CCE-96285-2
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sudoers", group="root") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml
index a1e02385222c..913068677c86 100644
--- a/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml
+++ b/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86416-5
     cce@rhel9: CCE-86417-3
     cce@rhel10: CCE-87065-9
+    cce@sle16: CCE-96512-9
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sudoers", owner="root") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml
index d1e594c490d7..c6c7752ce18a 100644
--- a/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml
+++ b/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-86419-9
     cce@rhel9: CCE-86424-9
     cce@rhel10: CCE-90690-9
+    cce@sle16: CCE-96318-1
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sudoers", perms="0440") }}}'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml
index ee1af2c63369..6918afa2ea0f 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml
@@ -24,7 +24,7 @@ identifiers:
     cce@rhel10: CCE-90747-7
     cce@sle12: CCE-91492-9
     cce@sle15: CCE-91184-2
-
+    cce@sle16: CCE-96178-9
 
 ocil_clause: 'env_reset is not enabled in sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml
index 3202a1efc830..9c4003d3e523 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml
@@ -24,7 +24,7 @@ identifiers:
     cce@rhel10: CCE-90743-6
     cce@sle12: CCE-91493-7
     cce@sle15: CCE-91185-9
-
+    cce@sle16: CCE-96048-4
 
 ocil_clause: 'ignore_dot is not enabled in sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
index 8c77ea2e3d79..93ee04d74015 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-89119-2
     cce@sle12: CCE-91494-5
     cce@sle15: CCE-91186-7
+    cce@sle16: CCE-96653-1
 
 ocil_clause: 'noexec is not enabled in sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
index ffce5a30d2c9..ace4a8de296d 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-90076-1
     cce@sle12: CCE-91496-0
     cce@sle15: CCE-91188-3
+    cce@sle16: CCE-95927-0
 
 ocil_clause: 'requiretty is not enabled in sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml
index 03f2ed524dc6..ea5f13d80676 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml
@@ -24,7 +24,7 @@ identifiers:
     cce@rhel8: CCE-83860-7
     cce@sle12: CCE-91498-6
     cce@sle15: CCE-91189-1
-
+    cce@sle16: CCE-96241-5
 
 ocil_clause: 'umask is not set with the appropriate value for sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
index f04cfbfe2502..0fd5f740e5e3 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-89208-3
     cce@sle12: CCE-91500-9
     cce@sle15: CCE-91191-7
+    cce@sle16: CCE-96236-5
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/usr/bin/sudo", group=xccdf_value("var_sudo_dedicated_group")) }}}'
 
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
index 95798eda09f1..ed93aa6d2aef 100644
--- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
@@ -27,6 +27,7 @@ identifiers:
     cce@rhel10: CCE-90002-7
     cce@sle12: CCE-91501-7
     cce@sle15: CCE-91192-5
+    cce@sle16: CCE-95946-0
 
 ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
 
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
index f956dbc51fb9..9c15e34b9897 100644
--- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-90660-2
     cce@sle12: CCE-91502-5
     cce@sle15: CCE-91193-3
+    cce@sle16: CCE-95859-5
 
 ocil_clause: '/etc/sudoers file contains rules that define the set of allowed commands using negation'
 
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
index b48bd38dbd19..ebd11afe383b 100644
--- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-90532-3
     cce@sle12: CCE-91503-3
     cce@sle15: CCE-91194-1
+    cce@sle16: CCE-96440-3
 
 # The second part of the sentence explaining what got wrong.
 # ... Is it the case that 
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 85d8169d528f..32b21dd878c5 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -1,84 +1,49 @@
 CCE-95718-3
-CCE-95719-1
 CCE-95720-9
-CCE-95722-5
-CCE-95723-3
-CCE-95724-1
 CCE-95725-8
-CCE-95726-6
-CCE-95727-4
-CCE-95729-0
 CCE-95730-8
 CCE-95731-6
 CCE-95732-4
-CCE-95733-2
 CCE-95735-7
-CCE-95736-5
-CCE-95737-3
-CCE-95738-1
 CCE-95741-5
-CCE-95742-3
 CCE-95751-4
 CCE-95752-2
-CCE-95753-0
 CCE-95754-8
 CCE-95755-5
-CCE-95756-3
 CCE-95758-9
 CCE-95759-7
-CCE-95760-5
-CCE-95761-3
-CCE-95762-1
 CCE-95766-2
 CCE-95767-0
 CCE-95768-8
 CCE-95770-4
 CCE-95772-0
-CCE-95774-6
 CCE-95775-3
-CCE-95777-9
 CCE-95779-5
 CCE-95781-1
 CCE-95785-2
 CCE-95786-0
-CCE-95787-8
-CCE-95788-6
 CCE-95789-4
 CCE-95790-2
 CCE-95791-0
-CCE-95794-4
 CCE-95798-5
-CCE-95799-3
 CCE-95800-9
 CCE-95802-5
 CCE-95803-3
 CCE-95804-1
-CCE-95806-6
-CCE-95807-4
 CCE-95808-2
-CCE-95810-8
 CCE-95813-2
-CCE-95814-0
 CCE-95815-7
-CCE-95816-5
 CCE-95819-9
-CCE-95822-3
 CCE-95823-1
 CCE-95824-9
 CCE-95826-4
-CCE-95827-2
 CCE-95829-8
-CCE-95831-4
 CCE-95832-2
 CCE-95833-0
 CCE-95834-8
 CCE-95836-3
 CCE-95838-9
 CCE-95839-7
-CCE-95841-3
-CCE-95842-1
-CCE-95847-0
-CCE-95848-8
 CCE-95849-6
 CCE-95852-0
 CCE-95853-8
@@ -86,58 +51,40 @@ CCE-95854-6
 CCE-95856-1
 CCE-95857-9
 CCE-95858-7
-CCE-95859-5
 CCE-95860-3
 CCE-95861-1
-CCE-95862-9
-CCE-95863-7
 CCE-95864-5
-CCE-95865-2
 CCE-95867-8
 CCE-95868-6
 CCE-95869-4
 CCE-95870-2
 CCE-95871-0
-CCE-95872-8
 CCE-95875-1
 CCE-95876-9
 CCE-95877-7
 CCE-95878-5
-CCE-95879-3
 CCE-95881-9
 CCE-95883-5
-CCE-95884-3
 CCE-95887-6
 CCE-95890-0
 CCE-95892-6
 CCE-95894-2
 CCE-95896-7
-CCE-95897-5
 CCE-95899-1
 CCE-95901-5
 CCE-95904-9
 CCE-95906-4
 CCE-95907-2
 CCE-95908-0
-CCE-95909-8
-CCE-95910-6
 CCE-95912-2
 CCE-95913-0
 CCE-95914-8
-CCE-95915-5
 CCE-95916-3
 CCE-95917-1
-CCE-95918-9
-CCE-95919-7
 CCE-95920-5
-CCE-95922-1
 CCE-95923-9
-CCE-95924-7
 CCE-95925-4
 CCE-95926-2
-CCE-95927-0
-CCE-95928-8
-CCE-95929-6
 CCE-95930-4
 CCE-95932-0
 CCE-95934-6
@@ -145,19 +92,14 @@ CCE-95935-3
 CCE-95937-9
 CCE-95938-7
 CCE-95939-5
-CCE-95940-3
 CCE-95941-1
 CCE-95943-7
-CCE-95945-2
-CCE-95946-0
 CCE-95947-8
 CCE-95948-6
 CCE-95949-4
-CCE-95950-2
 CCE-95951-0
 CCE-95952-8
 CCE-95953-6
-CCE-95955-1
 CCE-95956-9
 CCE-95957-7
 CCE-95958-5
@@ -165,7 +107,6 @@ CCE-95960-1
 CCE-95962-7
 CCE-95963-5
 CCE-95964-3
-CCE-95966-8
 CCE-95967-6
 CCE-95969-2
 CCE-95970-0
@@ -176,17 +117,11 @@ CCE-95976-7
 CCE-95977-5
 CCE-95978-3
 CCE-95979-1
-CCE-95980-9
-CCE-95981-7
 CCE-95984-1
 CCE-95986-6
-CCE-95987-4
 CCE-95988-2
-CCE-95989-0
 CCE-95990-8
 CCE-95991-6
-CCE-95993-2
-CCE-95994-0
 CCE-95995-7
 CCE-95997-3
 CCE-95998-1
@@ -198,11 +133,7 @@ CCE-96004-7
 CCE-96006-2
 CCE-96009-6
 CCE-96011-2
-CCE-96015-3
-CCE-96017-9
 CCE-96022-9
-CCE-96023-7
-CCE-96025-2
 CCE-96026-0
 CCE-96028-6
 CCE-96029-4
@@ -212,39 +143,23 @@ CCE-96034-4
 CCE-96035-1
 CCE-96036-9
 CCE-96037-7
-CCE-96038-5
-CCE-96039-3
 CCE-96040-1
 CCE-96041-9
 CCE-96042-7
 CCE-96044-3
 CCE-96045-0
 CCE-96046-8
-CCE-96048-4
-CCE-96050-0
 CCE-96051-8
-CCE-96054-2
-CCE-96055-9
 CCE-96056-7
-CCE-96057-5
 CCE-96059-1
-CCE-96060-9
 CCE-96061-7
-CCE-96062-5
-CCE-96064-1
-CCE-96065-8
 CCE-96067-4
-CCE-96069-0
 CCE-96070-8
 CCE-96071-6
 CCE-96073-2
-CCE-96076-5
 CCE-96078-1
 CCE-96079-9
-CCE-96081-5
 CCE-96082-3
-CCE-96083-1
-CCE-96085-6
 CCE-96086-4
 CCE-96087-2
 CCE-96091-4
@@ -253,15 +168,12 @@ CCE-96093-0
 CCE-96095-5
 CCE-96097-1
 CCE-96098-9
-CCE-96099-7
 CCE-96100-3
 CCE-96103-7
 CCE-96104-5
 CCE-96105-2
-CCE-96106-0
 CCE-96108-6
 CCE-96109-4
-CCE-96110-2
 CCE-96111-0
 CCE-96112-8
 CCE-96113-6
@@ -275,26 +187,18 @@ CCE-96121-9
 CCE-96124-3
 CCE-96125-0
 CCE-96126-8
-CCE-96129-2
-CCE-96130-0
-CCE-96132-6
 CCE-96136-7
 CCE-96137-5
-CCE-96138-3
 CCE-96139-1
-CCE-96140-9
 CCE-96143-3
-CCE-96146-6
 CCE-96147-4
 CCE-96149-0
 CCE-96150-8
 CCE-96151-6
 CCE-96153-2
 CCE-96154-0
-CCE-96157-3
 CCE-96159-9
 CCE-96160-7
-CCE-96161-5
 CCE-96162-3
 CCE-96163-1
 CCE-96164-9
@@ -304,92 +208,56 @@ CCE-96167-2
 CCE-96168-0
 CCE-96170-6
 CCE-96173-0
-CCE-96174-8
 CCE-96175-5
 CCE-96176-3
-CCE-96177-1
-CCE-96178-9
 CCE-96179-7
 CCE-96180-5
 CCE-96181-3
 CCE-96182-1
 CCE-96184-7
 CCE-96186-2
-CCE-96187-0
-CCE-96189-6
-CCE-96190-4
 CCE-96191-2
-CCE-96192-0
-CCE-96193-8
-CCE-96194-6
-CCE-96195-3
-CCE-96196-1
 CCE-96197-9
 CCE-96198-7
-CCE-96199-5
 CCE-96200-1
 CCE-96204-3
 CCE-96205-0
 CCE-96206-8
-CCE-96208-4
 CCE-96209-2
-CCE-96211-8
 CCE-96214-2
 CCE-96216-7
 CCE-96219-1
-CCE-96220-9
 CCE-96222-5
 CCE-96223-3
 CCE-96224-1
 CCE-96225-8
-CCE-96227-4
 CCE-96228-2
-CCE-96229-0
 CCE-96230-8
 CCE-96231-6
 CCE-96233-2
-CCE-96235-7
-CCE-96236-5
 CCE-96237-3
 CCE-96238-1
 CCE-96240-7
-CCE-96241-5
-CCE-96245-6
-CCE-96246-4
 CCE-96248-0
 CCE-96249-8
 CCE-96250-6
 CCE-96251-4
-CCE-96252-2
 CCE-96253-0
-CCE-96255-5
-CCE-96256-3
 CCE-96258-9
-CCE-96259-7
 CCE-96260-5
 CCE-96261-3
 CCE-96264-7
-CCE-96265-4
 CCE-96267-0
-CCE-96268-8
 CCE-96269-6
 CCE-96270-4
-CCE-96274-6
-CCE-96275-3
 CCE-96277-9
-CCE-96278-7
 CCE-96280-3
 CCE-96281-1
-CCE-96285-2
-CCE-96288-6
 CCE-96289-4
 CCE-96291-0
 CCE-96292-8
-CCE-96293-6
-CCE-96294-4
 CCE-96296-9
 CCE-96297-7
-CCE-96298-5
 CCE-96302-5
 CCE-96303-3
 CCE-96304-1
@@ -401,14 +269,11 @@ CCE-96311-6
 CCE-96312-4
 CCE-96313-2
 CCE-96316-5
-CCE-96318-1
 CCE-96319-9
 CCE-96320-7
-CCE-96321-5
 CCE-96322-3
 CCE-96324-9
 CCE-96326-4
-CCE-96327-2
 CCE-96331-4
 CCE-96332-2
 CCE-96333-0
@@ -417,9 +282,7 @@ CCE-96336-3
 CCE-96337-1
 CCE-96338-9
 CCE-96339-7
-CCE-96340-5
 CCE-96343-9
-CCE-96344-7
 CCE-96345-4
 CCE-96346-2
 CCE-96347-0
@@ -428,85 +291,44 @@ CCE-96349-6
 CCE-96351-2
 CCE-96352-0
 CCE-96354-6
-CCE-96355-3
-CCE-96356-1
 CCE-96357-9
-CCE-96358-7
-CCE-96359-5
-CCE-96361-1
 CCE-96362-9
-CCE-96363-7
-CCE-96366-0
-CCE-96367-8
 CCE-96369-4
-CCE-96370-2
-CCE-96371-0
-CCE-96372-8
 CCE-96374-4
 CCE-96375-1
 CCE-96379-3
 CCE-96380-1
-CCE-96383-5
 CCE-96387-6
 CCE-96389-2
-CCE-96390-0
 CCE-96392-6
-CCE-96394-2
 CCE-96395-9
-CCE-96396-7
-CCE-96397-5
 CCE-96399-1
 CCE-96400-7
 CCE-96401-5
 CCE-96402-3
 CCE-96403-1
-CCE-96404-9
-CCE-96405-6
-CCE-96407-2
-CCE-96408-0
 CCE-96410-6
-CCE-96411-4
 CCE-96412-2
 CCE-96413-0
-CCE-96414-8
 CCE-96415-5
 CCE-96417-1
 CCE-96418-9
 CCE-96419-7
 CCE-96421-3
-CCE-96423-9
 CCE-96424-7
 CCE-96425-4
 CCE-96426-2
 CCE-96427-0
-CCE-96428-8
-CCE-96430-4
-CCE-96431-2
 CCE-96432-0
-CCE-96438-7
 CCE-96439-5
-CCE-96440-3
-CCE-96441-1
-CCE-96444-5
-CCE-96445-2
-CCE-96446-0
-CCE-96447-8
-CCE-96448-6
 CCE-96449-4
-CCE-96450-2
-CCE-96452-8
 CCE-96454-4
 CCE-96455-1
-CCE-96456-9
 CCE-96459-3
-CCE-96460-1
 CCE-96461-9
-CCE-96462-7
 CCE-96463-5
-CCE-96464-3
 CCE-96466-8
 CCE-96469-2
-CCE-96470-0
 CCE-96471-8
 CCE-96472-6
 CCE-96474-2
@@ -523,79 +345,51 @@ CCE-96492-4
 CCE-96493-2
 CCE-96494-0
 CCE-96495-7
-CCE-96496-5
 CCE-96497-3
 CCE-96498-1
 CCE-96502-0
-CCE-96503-8
 CCE-96504-6
 CCE-96507-9
 CCE-96508-7
-CCE-96510-3
 CCE-96511-1
-CCE-96512-9
-CCE-96513-7
-CCE-96514-5
 CCE-96515-2
 CCE-96517-8
 CCE-96518-6
-CCE-96519-4
 CCE-96520-2
 CCE-96523-6
 CCE-96524-4
 CCE-96525-1
-CCE-96527-7
 CCE-96528-5
-CCE-96529-3
 CCE-96530-1
-CCE-96533-5
 CCE-96536-8
 CCE-96537-6
 CCE-96538-4
 CCE-96539-2
-CCE-96540-0
 CCE-96542-6
 CCE-96543-4
 CCE-96545-9
 CCE-96546-7
 CCE-96548-3
-CCE-96549-1
-CCE-96551-7
 CCE-96552-5
 CCE-96553-3
 CCE-96554-1
-CCE-96555-8
-CCE-96557-4
 CCE-96558-2
 CCE-96559-0
-CCE-96560-8
 CCE-96561-6
 CCE-96562-4
 CCE-96563-2
 CCE-96564-0
 CCE-96565-7
-CCE-96566-5
-CCE-96569-9
-CCE-96570-7
-CCE-96571-5
 CCE-96572-3
-CCE-96573-1
-CCE-96574-9
-CCE-96575-6
 CCE-96577-2
 CCE-96580-6
-CCE-96582-2
 CCE-96583-0
 CCE-96586-3
 CCE-96587-1
 CCE-96588-9
-CCE-96589-7
 CCE-96590-5
 CCE-96594-7
-CCE-96595-4
 CCE-96596-2
-CCE-96597-0
-CCE-96599-6
 CCE-96600-2
 CCE-96601-0
 CCE-96602-8
@@ -603,40 +397,23 @@ CCE-96603-6
 CCE-96605-1
 CCE-96607-7
 CCE-96608-5
-CCE-96609-3
 CCE-96610-1
-CCE-96612-7
 CCE-96613-5
 CCE-96614-3
-CCE-96615-0
-CCE-96618-4
 CCE-96619-2
-CCE-96620-0
 CCE-96621-8
-CCE-96622-6
-CCE-96623-4
-CCE-96624-2
-CCE-96626-7
 CCE-96628-3
-CCE-96629-1
 CCE-96630-9
-CCE-96632-5
-CCE-96633-3
 CCE-96635-8
 CCE-96636-6
 CCE-96637-4
 CCE-96638-2
-CCE-96640-8
-CCE-96642-4
 CCE-96643-2
 CCE-96644-0
 CCE-96645-7
 CCE-96647-3
-CCE-96648-1
-CCE-96649-9
 CCE-96651-5
 CCE-96652-3
-CCE-96653-1
 CCE-96655-6
 CCE-96656-4
 CCE-96657-2
@@ -646,20 +423,16 @@ CCE-96663-0
 CCE-96664-8
 CCE-96665-5
 CCE-96666-3
-CCE-96668-9
 CCE-96669-7
-CCE-96671-3
 CCE-96672-1
 CCE-96674-7
 CCE-96676-2
 CCE-96679-6
 CCE-96680-4
-CCE-96682-0
 CCE-96684-6
 CCE-96685-3
 CCE-96687-9
 CCE-96689-5
 CCE-96690-3
-CCE-96692-9
 CCE-96693-7
 CCE-96696-0

From ea17184fdf1d5bbae14011947790c6615a0b5091 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 18 Feb 2026 11:04:13 +0100
Subject: [PATCH 115/265] Fix remediation in rule logind_session_timeout

The bash remediation failed if the /etc/systemd/logind.conf.d/
directory didn't exist. This change makes sure this directory exists.
Also, add a simple test scenario that covers this situation.

Fixes: https://github.com/ComplianceAsCode/content/issues/14388
---
 .../accounts-physical/logind_session_timeout/bash/shared.sh  | 1 +
 .../logind_session_timeout/tests/dir_missing.fail.sh         | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
index 72e3aa52ba40..a2bc81b2fc6d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -5,6 +5,7 @@
 {{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
+mkdir -p "/etc/systemd/logind.conf.d/"
 {{% else %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
 {{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh
new file mode 100644
index 000000000000..8f1db2d9320b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+rm -rf "/etc/systemd/logind.conf.d/"
+{{% endif %}}

From 96febe6c5fecb8f131a46d2460ec9a7b694e59e1 Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Wed, 18 Feb 2026 14:16:10 +0100
Subject: [PATCH 116/265] Enforce sha512 and minimum rounds in Ubuntu 22.04
 STIG

Aligns with new requirements in STIG V2R7 rule UBTU-22-611055
(Ubuntu 22.04 LTS must store only encrypted representations of passwords).
---
 controls/stig_ubuntu2204.yml                              | 4 +++-
 .../bash/shared.sh                                        | 2 +-
 .../oval/shared.xml                                       | 4 ++--
 .../rule.yml                                              | 8 ++++----
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index db8a53a9bcca..0f6b991ab240 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -886,7 +886,9 @@ controls:
       levels:
           - medium
       rules:
-          - set_password_hashing_algorithm_systemauth
+          - var_password_pam_unix_rounds=100000
+          - set_password_hashing_algorithm_auth_stig
+          - accounts_password_pam_unix_rounds_password_auth
       status: automated
 
     - id: UBTU-22-611060
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
index 9346f874318b..cdef1f01f94e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -6,7 +6,7 @@
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
 {{% elif product in ["debian12", "debian13"] %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
-{{% elif product in ["ubuntu2404"] %}}
+{{% elif product in ["ubuntu2204", "ubuntu2404"] %}}
 config_file="/usr/share/pam-configs/cac_unix"
 {{{ bash_pam_unix_enable() }}}
 sed -i -E '/^Password:/,/^[^[:space:]]/ {
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
index 7e3067f20224..e3d35e50f261 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2404'] %}}
+{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,7 @@
 
   
     ^{{{ pam_passwd_file_path }}}$
-    {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}}
+    {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
     ^\s*password\s+.*\s+pam_unix\.so[^#]*rounds=([0-9]*).*$
     {{% else %}}
     ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so[^#]*rounds=([0-9]*).*$
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index 06e867bc9d1e..f52c225f397d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 
 title: 'Set number of Password Hashing Rounds - password-auth'
 
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2404'] %}}
+{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -15,7 +15,7 @@ description: |-
     


     In file {{{ pam_passwd_file_path }}} append rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
     to the pam_unix.so entry, as shown below:
-    {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}}
+    {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
     
password [success=1 default=ignore] pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}

     {{% else %}}
     
password sufficient pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}

@@ -49,7 +49,7 @@ ocil: |-
     To verify the number of rounds for the password hashing algorithm is configured, run the following command:
     
$ sudo grep rounds {{{ pam_passwd_file_path }}}

     The output should show the following match:
-    {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}}
+    {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
     
password [success=1 default=ignore] pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}

     {{% else %}}
     
password sufficient pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}

@@ -62,7 +62,7 @@ fixtext: |-
 
     Add or modify the following line in "{{{ pam_passwd_file_path }}}" and set "rounds" to {{{ xccdf_value("var_password_pam_unix_rounds") }}}.
     For example:
-    {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}}
+    {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
     password [success=1 default=ignore] pam_unix.so sha512 rounds=5000
     {{% else %}}
     password sufficient pam_unix.so sha512 rounds=5000

From ec98e30f61c6862e2bdbe5255083fd78c93f3d01 Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Wed, 18 Feb 2026 15:12:33 +0100
Subject: [PATCH 117/265] Add audit rules for cron dirs to Ubuntu 22.04 STIG

Aligns with UBTU-22-654041
(Ubuntu 22.04 LTS must audit any script or executable called by cron as
root or by any privileged user)
---
 controls/stig_ubuntu2204.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index db8a53a9bcca..bd93ac5ec839 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -1260,6 +1260,15 @@ controls:
           - audit_rules_privileged_commands_crontab
       status: automated
 
+    - id: UBTU-22-654041
+      title: Ubuntu 22.04 LTS must audit any script or executable called by cron as root or by any privileged user.
+      levels:
+          - medium
+      rules:
+          - audit_rules_etc_cron_d
+          - audit_rules_var_spool_cron
+      status: automated
+
     - id: UBTU-22-654045
       title: Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use
           the fdisk command.

From 9197ec60ed945fceb93d257933ddba4727a241a7 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 16:31:21 +0200
Subject: [PATCH 118/265] Update SLE15 STIG version to V2R6

---
 products/sle15/profiles/stig.profile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile
index 309c043b17a3..f4736420cf9b 100644
--- a/products/sle15/profiles/stig.profile
+++ b/products/sle15/profiles/stig.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V2R5
+    version: V2R6
     SMEs:
         - svet-se
         - rumch-se
@@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for SUSE Linux Enterprise 15 V2R5.
+    DISA STIG for SUSE Linux Enterprise 15 V2R6.
 
 
 selections:

From 723f91bf436b5ced9b869496513c9f96cb89066c Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 16:33:16 +0200
Subject: [PATCH 119/265] Update SLE15 STIG version to V2R6

---
 ... => disa-stig-sle15-v2r6-xccdf-manual.xml} | 74 ++++++++-----------
 1 file changed, 32 insertions(+), 42 deletions(-)
 rename shared/references/{disa-stig-sle15-v2r5-xccdf-manual.xml => disa-stig-sle15-v2r6-xccdf-manual.xml} (88%)

diff --git a/shared/references/disa-stig-sle15-v2r5-xccdf-manual.xml b/shared/references/disa-stig-sle15-v2r6-xccdf-manual.xml
similarity index 88%
rename from shared/references/disa-stig-sle15-v2r5-xccdf-manual.xml
rename to shared/references/disa-stig-sle15-v2r6-xccdf-manual.xml
index 293ad43f48ee..90fda462d6a4 100644
--- a/shared/references/disa-stig-sle15-v2r5-xccdf-manual.xml
+++ b/shared/references/disa-stig-sle15-v2r6-xccdf-manual.xml
@@ -1,4 +1,13 @@
-acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 02 Jul 20253.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.
+acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 05 Jan 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77045SV-91741CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.
+acceptedSUSE Linux Enterprise Server 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 05 Jan 20263.5.21.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
+
+Release		Released		General Support		Long Term Support
+12.1		15 Dec 2015		31 May 2017			31 May 2020
+12.2		08 Nov 2016		31 Mar 2018			31 Mar 2021
+12.3		07 Sep 2017		30 Jun 2019			30 Jun 2022
+12.4		12 Dec 2018		30 Jun 2020			30 Jun 2023
+12.5		09 Dec 2019		31 Oct 2024			31 Oct 2027</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77045SV-91741CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.
 
 If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.Verify the SUSE operating system is a vendor-supported release.
 
@@ -674,19 +681,7 @@ DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
 
 If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the
 "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" parameter is not set to "no", this is a
-finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010390The SUSE operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91831V-77135CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". 
-
-Add the following line to the top of "/etc/pam.d/login":
-
-session     required      pam_lastlog.so showfailedVerify the SUSE operating system users are provided with feedback on when account accesses last occurred.
-
-Check that "pam_lastlog" is used and not silent with the following command:
-
-> grep pam_lastlog /etc/pam.d/login
-
-session required pam_lastlog.so showfailed 
-
-If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010400There must be no .shosts files on the SUSE operating system.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77137SV-91833CCI-000366Remove any ".shosts" files found on the SUSE operating system.
+finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010400There must be no .shosts files on the SUSE operating system.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77137SV-91833CCI-000366Remove any ".shosts" files found on the SUSE operating system.
 
 # rm /[path]/[to]/[file]/.shostsVerify there are no ".shosts" files on the SUSE operating system.
 
@@ -702,7 +697,7 @@ Check the system for the existence of these files with the following command:
 
 # find /etc -name shosts.equiv
 
-If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>SLES-12-010420FIPS 140-2 mode must be enabled on the SUSE operating system.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>SLES-12-010420FIPS 140-2 mode must be enabled on the SUSE operating system.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
 
 Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91837V-77141CCI-002450To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install.
 
@@ -714,7 +709,7 @@ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdfSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010430SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010430SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
 
 Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77143SV-91839CCI-000213Note: If the system does not use a basic input/output system (BIOS) this requirement is Not Applicable.
 
@@ -747,7 +742,7 @@ Check that the encrypted password is set for a boot user with the following comm
 
 password_pbkdf2 boot grub.pbkdf2.sha512.10000.VeryLongString
 
-If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010440SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.
+If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010440SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.
 
 If the system is running in EFI mode, SLES 12 by default will use GRUB 2 EFI as the boot loader.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91841V-77145CCI-000213Note: If the system does not use UEFI, this requirement is Not Applicable.
 
@@ -812,7 +807,7 @@ truecrypt  /dev/sda3       /etc/container_password  tcrypt
 
 Every persistent disk partition present on the system must have an entry in the file. 
 
-If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010460The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010460The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
 
 This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
 
@@ -974,16 +969,14 @@ Check that "usb-storage" is blacklisted in the "/etc/modprobe.d/50-blacklist.con
 # grep usb-storage /etc/modprobe.d/50-blacklist.conf
 blacklist usb-storage
 
-If nothing is output from the command, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-12-010590The SUSE operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+If nothing is output from the command, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-12-010590The SUSE operating system must disable the file system automounter.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
 
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77167SV-91863CCI-000366CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices.
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77167SV-91863CCI-000366CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices.
 
-Turn off the automount service with the following command:
+Turn off the automount service with the following commands:
 
 # systemctl stop autofs
-# systemctl disable autofs
-
-If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the SUSE operating system disables the ability to automount devices.
+# systemctl disable autofsVerify the SUSE operating system disables the ability to automount devices.
 
 Check to see if automounter service is active with the following command:
 
@@ -992,7 +985,7 @@ autofs.service - Automounts filesystems on demand
 Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
 Active: inactive (dead)
 
-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>SLES-12-010600The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.<VulnDiscussion>Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
+If the "autofs" status is set to "active" this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>SLES-12-010600The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.<VulnDiscussion>Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
 
 The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
 
@@ -3900,7 +3893,7 @@ Restart the "sshd" service for changes to take effect:
      $ sudo grep -i kexalgorithms /etc/ssh/sshd_config
      KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
  
-If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001090Configure the operating system to restrict access to the kernel message buffer.
+If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001090Configure the operating system to restrict access to the kernel message buffer.
 
 Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:
 

From 81672064903d13d8ce9f3d618931489e245408b2 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 16:47:47 +0200
Subject: [PATCH 124/265] Remove rule display_login_attempts from SLE12 STIG
 profile

---
 products/sle12/profiles/stig.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile
index b865f8347191..bd7b60058282 100644
--- a/products/sle12/profiles/stig.profile
+++ b/products/sle12/profiles/stig.profile
@@ -176,7 +176,6 @@ selections:
     - dir_system_commands_root_owned
     - disable_ctrlaltdel_reboot
     - disallow_bypass_password_sudo
-    - display_login_attempts
     - enable_dconf_user_profile
     - encrypt_partitions
     - ensure_gpgcheck_globally_activated

From cf584010d618a74d63fc63c64dba68bd681f93b3 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 17:00:17 +0200
Subject: [PATCH 125/265] move stig_slmicro5 control file to slmicro5 controls

---
 {controls => products/slmicro5/controls}/stig_slmicro5.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {controls => products/slmicro5/controls}/stig_slmicro5.yml (100%)

diff --git a/controls/stig_slmicro5.yml b/products/slmicro5/controls/stig_slmicro5.yml
similarity index 100%
rename from controls/stig_slmicro5.yml
rename to products/slmicro5/controls/stig_slmicro5.yml

From dfee3b3410c4d1e036b5d089025adb5f4a611a00 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 17:02:04 +0200
Subject: [PATCH 126/265] Update SLEM5 STIG version to V1R3

---
 products/slmicro5/controls/stig_slmicro5.yml | 2 +-
 products/slmicro5/profiles/stig.profile      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/products/slmicro5/controls/stig_slmicro5.yml b/products/slmicro5/controls/stig_slmicro5.yml
index d39b265fff84..15793df7fd15 100644
--- a/products/slmicro5/controls/stig_slmicro5.yml
+++ b/products/slmicro5/controls/stig_slmicro5.yml
@@ -3,7 +3,7 @@ policy: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation G
 title: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
 id: stig_slmicro5
 source: https://www.cyber.mil/stigs/downloads/
-version: V1R2
+version: V1R3
 reference_type: stigid
 product: slmicro5
 
diff --git a/products/slmicro5/profiles/stig.profile b/products/slmicro5/profiles/stig.profile
index f5024ff753bd..33560c324eee 100644
--- a/products/slmicro5/profiles/stig.profile
+++ b/products/slmicro5/profiles/stig.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R2
+    version: V1R3
     SMEs:
         - svet-se
         - rumch-se
@@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5 V1R2.
+    DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5 V1R3.
 
 selections:
     - stig_slmicro5:all

From 29175729f2466c85fdb5a9c9d9e4e75707210d92 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Wed, 18 Feb 2026 17:03:41 +0200
Subject: [PATCH 127/265] Update SLEM5 DISA STIG manual to V1R3

---
 ... disa-stig-slmicro5-v1r3-xccdf-manual.xml} | 44 +++++++++----------
 1 file changed, 22 insertions(+), 22 deletions(-)
 rename shared/references/{disa-stig-slmicro5-v1r2-xccdf-manual.xml => disa-stig-slmicro5-v1r3-xccdf-manual.xml} (87%)

diff --git a/shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml b/shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml
similarity index 87%
rename from shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml
rename to shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml
index 5d041d34d222..d53d2389953f 100644
--- a/shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml
+++ b/shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml
@@ -1,10 +1,21 @@
-acceptedSUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 02 Jul 20253.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLEM-05-211010SLEM 5 must be a vendor-supported release.<VulnDiscussion>A SLEM 5 release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Micro (SLEM) 5DISADPMS TargetSUSE Linux Enterprise Micro (SLEM) 55596CCI-000366Upgrade SLEM 5 to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.
+acceptedSUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 05 Jan 20263.5.21.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL08-00-030180The OL 8 audit package must be installed.<VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. 
  
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. 
  
@@ -32,17 +32,20 @@ auditd.service - Security Auditing Service
 Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
 Active: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago
 
-If the audit service is not "active" and "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010000OL 8 must be a vendor-supported release.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. 
+If the audit service is not "active" and "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010000OL 8 must be a vendor-supported release.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DOD that reflects the most restrictive security posture consistent with operational requirements. 
  
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. 
+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
+
+End Of Life dates for Oracle Linux 8 releases are as follows:
+Current end of Premier Support for Oracle Linux 8 is July 2029.
+Current end of Extended Support for Oracle Linux 8 is July 2032. 
+
+Each minor version reaches end of life when the new version is released.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. 
  
 Check the version of the operating system with the following command: 
  
-$ udo cat /etc/oracle-release 
- 
-Oracle Linux Server release 8.2 
- 
-Current End of Premier Support for Oracle Linux 8 is July 2029, while Extended Support might consider an extended term. 
+$ sudo cat /etc/oracle-release 
+Oracle Linux Server release 8.10
  
 If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010010OL 8 vendor-packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals.  
  
@@ -425,7 +428,7 @@ SHA_CRYPT_MIN_ROUNDS 100000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. 
+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. 
  
 Generate an encrypted grub2 password for the grub superusers account with the following command: 
  
@@ -439,7 +442,7 @@ $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
  
 GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] 
  
-If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010141OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
+If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010141OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
 The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to replace "root" with a unique name for the grub superusers account.
 
 Edit the /etc/grub.d/01_users file and add or modify the following lines:
@@ -458,7 +461,7 @@ $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
 set superusers="[someuniqueUserNamehere]"
 export superusers
 
-If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010149OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
+If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010149OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
 The GRUB 2 superuser account is an account of last resort.  Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to replace "root" with a unique name for the grub superusers account.
 
 Edit the /etc/grub.d/01_users file and add or modify the following lines:
@@ -477,7 +480,7 @@ $ sudo grep -iw "superusers" /boot/grub2/grub.cfg
 set superusers="[someuniqueUserNamehere]"
 export superusers
 
-If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010150OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/grub2/user.cfg" file. 
+If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010150OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/grub2/user.cfg" file. 
  
 Generate an encrypted grub2 password for the grub superusers account with the following command: 
  
@@ -491,7 +494,7 @@ $ sudo grep -iw grub2_password /boot/grub2/user.cfg
  
 GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] 
  
-If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010151OL 8 operating systems must require authentication upon booting into rescue mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file: 
+If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010151OL 8 operating systems must require authentication upon booting into rescue mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file: 
  
 ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescueDetermine if the system requires authentication for rescue mode with the following command: 
  
@@ -499,7 +502,7 @@ $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service
  
 ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue 
  
-If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue" or is commented out or missing, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010152OL 8 operating systems must require authentication upon booting into emergency mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file: 
+If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue" or is commented out or missing, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010152OL 8 operating systems must require authentication upon booting into emergency mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file: 
  
 ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergencyDetermine if the system requires authentication for emergency mode with the following command: 
  
@@ -612,7 +615,7 @@ $ sudo yum list installed policycoreutils
  
 policycoreutils.x86_64 2.9-3.el8 @anaconda 
  
-If the "policycoreutils" package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010190A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. 
+If the "policycoreutils" package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010190A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. 
  
 This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. 
  
@@ -754,45 +757,58 @@ $ sudo grep -i CRYPTO_POLICY /etc/sysconfig/sshd
 
 # CRYPTO_POLICY=
 
-If the "CRYPTO_POLICY" is uncommented, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010290The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. 
- 
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. 
- 
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. 
- 
-OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the "/etc/sysconfig/sshd" file. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/opensshserver.config" file.
+If the "CRYPTO_POLICY" is uncommented, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010290The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
 
-The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only MACs employing FIPS 140-2 approved algorithms:
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
 
-Update the "/etc/crypto-policies/back-ends/opensshserver.config" file to include these MACs employing FIPS 140-2 approved algorithms: 
- 
--oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
- 
-A reboot is required for the changes to take effect.Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
 
-     $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only MACs employing FIPS 140-3-approved algorithms.
 
-     -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+Reinstall crypto-policies with the following command:
 
-If the MACs entries in the "opensshserver.config" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010291The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. 
- 
-Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. 
- 
-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
+$ sudo dnf -y reinstall crypto-policies
 
-The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only ciphers employing FIPS 140-2 approved algorithms: 
+Set the crypto-policy to FIPS with the following command:
 
-Update the "/etc/crypto-policies/back-ends/opensshserver.config" file to include these ciphers employing FIPS 140-2-approved algorithms: 
- 
-CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
- 
-A reboot is required for the changes to take effect.Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-2 approved algorithms with the following command: 
-  
-     $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config 
- 
-     CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
- 
-If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>OL08-00-010292The OL 8 SSH server must be configured to use strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. 
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only MACs employing FIPS 140-3-approved algorithms.
+
+To verify the MACs in the systemwide SSH configuration file, use the following command:
+
+$ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config
+
+-oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", or they are missing or commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010291The OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only ciphers employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-3-approved algorithms.
+
+To verify the ciphers in the systemwide SSH configuration file, use the following command:
+
+$ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config 
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>OL08-00-010292The OL 8 SSH server must be configured to use strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. 
  
 The SSH implementation in OL 8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable, the OPENSSL random generator is reseeded from "/dev/random". This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the operating system SSH server to use strong entropy. 
  
@@ -1001,241 +1017,146 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf
 
 localpkg_gpgcheck =True
 
-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL08-00-010372OL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL08-00-010372OL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
 
 Disabling "kexec_load" prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used to subvert the entire secureboot process and should be avoided at all costs, especially since it can load unsigned kernel images.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-003992CCI-001749Configure OL 8 to disable kernel image loading.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-003992CCI-001749Configure OL 8 to prevent the loading of a new kernel for later execution.
 
 Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
 kernel.kexec_load_disabled = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemNote: For OL 8 systems using the Oracle Unbreakable Enterprise Kernel (UEK) Release 6 or above and with secureboot enabled, this requirement is Not Applicable.
-
-Verify the operating system is configured to disable kernel image loading with the following commands.
+$ sudo sysctl --systemNote: For OL 8 systems using the Oracle Unbreakable Enterprise Kernel (UEK) Release 6 or above and with secureboot enabled, this requirement is Not Applicable.
 
-Check the status of the "kernel.kexec_load_disabled" kernel parameter:
+Verify OL 8 is configured to disable kernel image loading.
 
-$ sudo sysctl kernel.kexec_load_disabled
+Check the status of the kernel.kexec_load_disabled kernel parameter with the following command:
 
+$ sysctl kernel.kexec_load_disabled
 kernel.kexec_load_disabled = 1
 
-If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
-
-$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1
-
-If "kernel.kexec_load_disabled" is not set to "1" or is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>OL08-00-010373OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
+If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>OL08-00-010373OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
 
 When DAC policies are implemented, subjects are not constrained as to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control (MAC) policies is still able to operate under the less rigorous constraints of this requirement. Therefore, while MAC imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of DAC require identity-based access control, that limitation is not required for this use of DAC.
 
 By enabling the "fs.protected_symlinks" kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002165Configure OL 8 to enable DAC on symlinks.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002165Configure OL 8 to enable DAC on symlinks with the following:
 
 Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
 fs.protected_symlinks = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands.
+$ sudo sysctl --systemVerify OL 8 is configured to enable DAC on symlinks.
 
-Check the status of the "fs.protected_symlinks" kernel parameter:
+Check the status of the fs.protected_symlinks kernel parameter with the following command:
 
 $ sudo sysctl fs.protected_symlinks
-
 fs.protected_symlinks = 1
 
-If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
-
-$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1
-
-If "fs.protected_symlinks" is not set to "1" or is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>OL08-00-010374OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
+If "fs.protected_symlinks " is not set to "1" or is missing, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>OL08-00-010374OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
 
 When DAC policies are implemented, subjects are not constrained as to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control (MAC) policies is still able to operate under the less rigorous constraints of this requirement. Therefore, while MAC imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of DAC require identity-based access control, that limitation is not required for this use of DAC.
 
 By enabling the "fs.protected_hardlinks" kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002165Configure OL 8 to enable DAC on hardlinks.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002165Configure OL 8 to enable DAC on hardlinks with the following:
 
 Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
 fs.protected_hardlinks = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands.
+$ sudo sysctl --systemVerify OL 8 is configured to enable DAC on hardlinks.
 
-Check the status of the "fs.protected_hardlinks" kernel parameter:
+Check the status of the fs.protected_hardlinks kernel parameter with the following command:
 
 $ sudo sysctl fs.protected_hardlinks
-
 fs.protected_hardlinks = 1
 
-If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
-
-$ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1
+If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010375OL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
 
-If "fs.protected_hardlinks" is not set to "1" or is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010375OL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
-
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
 
 There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
 
-Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.
+Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001090Configure OL 8 to restrict access to the kernel message buffer.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001090Configure OL 8 to restrict access to the kernel message buffer.
 
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
 kernel.dmesg_restrict = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands.
+$ sudo sysctl --systemVerify OL 8 is configured to restrict access to the kernel message buffer with the following commands:
 
-Check the status of the "kernel.dmesg_restrict" kernel parameter:
+Check the status of the kernel.dmesg_restrict kernel parameter.
 
 $ sudo sysctl kernel.dmesg_restrict
-
 kernel.dmesg_restrict = 1
 
-If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
-
-$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1
-
-If "kernel.dmesg_restrict" is not set to "1" or is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010376OL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. 
+If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL08-00-010376OL 8 must prevent kernel profiling by nonprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. 
  
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. 
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. 
  
 There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
  
-Setting the "kernel.perf_event_paranoid" kernel parameter to "2" prevents attackers from gaining additional system information as a non-privileged user.
+Setting the "kernel.perf_event_paranoid" kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001090Configure OL 8 to prevent kernel profiling by unprivileged users.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001090Configure OL 8 to prevent kernel profiling by nonprivileged users.
 
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
 kernel.perf_event_paranoid = 2
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands.
+$ sudo sysctl --systemVerify OL 8 is configured to prevent kernel profiling by nonprivileged users with the following commands:
 
-Check the status of the "kernel.perf_event_paranoid" kernel parameter:
-
-$ sudo sysctl kernel.perf_event_paranoid
+Check the status of the kernel.perf_event_paranoid kernel parameter.
 
+$ sysctl kernel.perf_event_paranoid
 kernel.perf_event_paranoid = 2
 
-If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
-
-$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2
-
-If "kernel.perf_event_paranoid" is not set to "2" or is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>OL08-00-010380OL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>OL08-00-010380OL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
 
 When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
 
@@ -1474,49 +1395,30 @@ $ grubby --info=/boot/vmlinuz-$(uname -r) | grep mitigations
 
 If the "mitigations" parameter is set to "off" (mitigations=off), this is a finding.
 
-Note: The default behavior of the kernel is to enable mitigations for vulnerabilities like Meltdown and Spectre based on hardware and system requirements. Therefore, if the "mitigation" parameter is not present or if it is set to on this is not a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>OL08-00-010430OL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. 
+Note: The default behavior of the kernel is to enable mitigations for vulnerabilities like Meltdown and Spectre based on hardware and system requirements. Therefore, if the "mitigation" parameter is not present or if it is set to on this is not a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>OL08-00-010430OL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. 
  
 Examples of attacks are buffer overflow attacks.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002824Configure OL 8 to implement virtual address space randomization. 
- 
-Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.d/*.conf" (or modify the line to have the required value): 
- 
-kernel.randomize_va_space=2 
- 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002824Configure OL 8 to implement ASLR to protect its memory from unauthorized code execution.
 
-Issue the following command to make the changes take effect: 
- 
-$ sudo sysctl --systemVerify that OL 8 implements ASLR with the following command: 
- 
-$ sudo sysctl kernel.randomize_va_space 
- 
-kernel.randomize_va_space = 2 
- 
-If "kernel.randomize_va_space" is not set to "2", this is a finding.
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
-Check that the configuration files are present to enable this kernel parameter.
+kernel.randomize_va_space = 2
 
-$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+Reload settings from all system configuration files with the following command:
 
-/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2
+$ sudo sysctl --systemVerify OL 8 is implementing ASLR with the following command:
 
-If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding.
+$ sysctl kernel.randomize_va_space
+kernel.randomize_va_space = 2
 
-If conflicting results are returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>OL08-00-010440YUM must remove all software components after updated versions have been installed on OL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002617Configure OL 8 to remove all software components after updated versions have been installed. 
+If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>OL08-00-010440YUM must remove all software components after updated versions have been installed on OL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002617Configure OL 8 to remove all software components after updated versions have been installed. 
  
 Set the "clean_requirements_on_remove" option to "True" in the "/etc/yum.conf" file: 
  
@@ -1790,7 +1692,7 @@ $ sudo mount | grep '\s/boot\s'
 
 /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)
 
-If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010572OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable.
+If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010572OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.Note: For vfat file systems and for systems that use BIOS, this is Not Applicable.
 
 Verify the /boot/efi directory is mounted with the "nosuid" option with the following command:
 
@@ -1798,7 +1700,9 @@ $ sudo mount | grep '\s/boot/efi\s'
 
 /dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
 
-If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010580OL 8 must prevent special devices on non-root local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.Verify all non-root local partitions are mounted with the "nodev" option with the following command:
+If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010580OL 8 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.Note: This control is not applicable to vfat file systems.
+
+Verify all nonroot local partitions are mounted with the "nodev" option with the following command:
 
 $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
 
@@ -1835,41 +1739,31 @@ $ sudo more /etc/fstab
  
 UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 
  
-If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010630OL 8 file systems must not execute binary files that are imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Verify that file systems being imported via NFS are mounted with the "noexec" option with the following command: 
+If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010630OL 8 file systems must not execute binary files that are imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable.
+
+Verify file systems being imported via NFS are mounted with the "noexec" option with the following command: 
  
 $ sudo grep nfs /etc/fstab | grep noexec 
  
 UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 
  
-If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010640OL 8 file systems must not interpret character or block special devices that are imported via NFS.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.Verify that file systems being imported via NFS are mounted with the "nodev" option with the following command: 
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010640OL 8 file systems must not interpret character or block special devices that are imported via Network File System (NFS).<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable.
+
+Verify file systems being imported via NFS are mounted with the "nodev" option with the following command: 
  
 $ sudo grep nfs /etc/fstab | grep nodev 
  
 UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 
  
-If a file system found in "/etc/fstab" refers to NFS and it does not have the "nodev" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010650OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Verify that file systems being imported via NFS are mounted with the "nosuid" option with the following command: 
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "nodev" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010650OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Note: If no NFS mounts are configured, this requirement is Not Applicable.
+
+Verify file systems being imported via NFS are mounted with the "nosuid" option with the following command: 
  
 $ sudo grep nfs /etc/fstab | grep nosuid 
  
 UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 
  
-If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010660Local OL 8 initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Set the mode on files being executed by the local initialization files with the following command: 
- 
-$ sudo chmod 0755 <file>Verify that local initialization files do not execute world-writable programs. 
- 
-Check the system for world-writable files. 
- 
-The following command will discover and print world-writable files. Run it once for each local partition [PART]: 
- 
-$ sudo find [PART] -xdev -type f -perm -0002 -print 
- 
-For all files listed, check for their presence in the local initialization files with the following commands: 
- 
-Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. 
- 
-$ sudo grep <file> /home/*/.* 
- 
-If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>OL08-00-010670OL 8 must disable kernel dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>OL08-00-010670OL 8 must disable kernel dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.
 
 OL 8 installation media presents the option to enable or disable the kdump service at the time of system installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001665If kernel core dumps are not required, disable the "kdump" service with the following command:
 
@@ -1886,55 +1780,40 @@ Main PID: 1130 (code=exited, status=0/FAILURE)
 
 If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
 
-If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010671OL 8 must disable the "kernel.core_pattern".<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010671OL 8 must disable the "kernel.core_pattern".<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable storing core dumps by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable storing core dumps.
 
-kernel.core_pattern = |/bin/false
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+kernel.core_pattern = |/bin/false
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify that OL 8 disables storing core dumps with the following commands: 
- 
-$ sudo sysctl kernel.core_pattern 
- 
-kernel.core_pattern = |/bin/false 
- 
-If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-
-Check that the configuration files are present to enable this kernel parameter:
+$ sudo sysctl --systemVerify OL 8 disables storing core dumps with the following commands:
 
-$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false
-
-If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding.
+$ sysctl kernel.core_pattern
+kernel.core_pattern = |/bin/false
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010672OL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
+If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010672OL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. 
  
-When the kernel invokes "systemd-coredump" to handle a core dump, it runs in privileged mode and will connect to the socket created by the "systemd-coredump.socket" unit. This, in turn, will spawn an unprivileged "systemd-coredump@.service" instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to disable the "systemd-coredump.socket" with the following commands:
+When the kernel invokes "systemd-coredump" to handle a core dump, it runs in privileged mode and will connect to the socket created by the "systemd-coredump.socket" unit. This, in turn, will spawn an nonprivileged "systemd-coredump@.service" instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to disable the "systemd-coredump.socket" with the following commands:
 
 $ sudo systemctl disable --now systemd-coredump.socket
 
 $ sudo systemctl mask systemd-coredump.socket
 
-Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/nullVerify OL 8 is not configured to acquire, save, or process core dumps with the following command: 
+Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/nullNote: If kernel dumps are disabled in accordance with OL08-00-010671, this requirement is not applicable.
+
+Verify OL 8 is not configured to acquire, save, or process core dumps with the following command: 
  
 $ sudo systemctl status systemd-coredump.socket 
  
@@ -1942,45 +1821,55 @@ systemd-coredump.socket
 Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) 
 Active: inactive (dead) 
  
-If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010673OL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
- 
-A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable core dumps for all users. 
- 
-Add the following line to the top of "/etc/security/limits.conf" or in a ".conf" file defined in "/etc/security/limits.d/": 
- 
-* hard core 0Verify the operating system disables core dumps for all users with the following command: 
- 
-$ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf /etc/security/limits.d/*.conf 
- 
-* hard core 0 
- 
-This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. 
+If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010673OL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
-If the "core" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010674OL 8 must disable storing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
+A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable core dumps for all users. 
+
+Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
+
+* hard core 0
+
+Remove or comment out any entries for users or groups with a value set to anything other than "0".Note: If kernel dumps are disabled in accordance with OL08-00-010671, this requirement is not applicable.
+
+Verify OL 8 disables core dumps for all users by issuing the following command:
+
+$ grep -r -s core /etc/security/limits.conf /etc/security/limits.d/*.conf
+
+/etc/security/limits.conf:* hard core 0
+
+This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
+
+If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.
+
+If entries exist for users or groups with a value set to anything other than "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010674OL 8 must disable storing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable storing core dumps for all users. 
  
 Add or modify the following line in "/etc/systemd/coredump.conf": 
  
-Storage=noneVerify the operating system disables storing core dumps for all users with the following command: 
+Storage=noneNote: If kernel dumps are disabled in accordance with OL08-00-010671, this requirement is not applicable.
+
+Verify OL 8 disables storing core dumps for all users with the following command: 
  
 $ sudo grep -i storage /etc/systemd/coredump.conf 
  
 Storage=none 
  
-If the "Storage" item is missing or commented out or the value is anything other than "none", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010675OL 8 must disable core dump backtraces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
+If the "Storage" item is missing or commented out or the value is anything other than "none", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010675OL 8 must disable core dump backtraces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable core dump backtraces. 
  
 Add or modify the following line in "/etc/systemd/coredump.conf": 
  
-ProcessSizeMax=0Verify the operating system disables core dump backtraces by issuing the following command: 
+ProcessSizeMax=0Note: If kernel dumps are disabled in accordance with OL08-00-010671, this requirement is not applicable.
+
+Verify OL 8 disables core dump backtraces by issuing the following command: 
  
 $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf 
  
 ProcessSizeMax=0 
  
-If the "ProcessSizeMax" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010680For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to use two or more name servers for DNS resolution. 
+If the "ProcessSizeMax" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010680For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to use two or more name servers for DNS resolution. 
  
 By default, "NetworkManager" on OL 8 dynamically updates the "/etc/resolv.conf" file with the DNS settings from active "NetworkManager" connection profiles. However, this feature can be disabled to allow manual configurations. 
  
@@ -2026,13 +1915,17 @@ $ sudo grep -i path /home/smithj/.*
 /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin 
 /home/smithj/.bash_profile:export PATH 
  
-If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010700All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. 
+If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010700All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. 
  
-The only authorized public directories are the temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Investigate any world-writable directories that are not owned by a system account and then delete the files or assign them to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: 
- 
-$ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print 
- 
-If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010710All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. 
+The only authorized public directories are the temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure all OL 8 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources.
+
+Use the following command template to set ownership of public directories to root or a system account:
+
+$ sudo chown [root or system account] [Public Directory]Verify OL 8 world writable directories are owned by root, a system account, or an application account with the following command:
+
+$ sudo find / -xdev -type d -perm -0002 -uid +999 -exec stat -c "%U, %u, %A, %n" {} \; 2>/dev/null
+
+If there is output that indicates world-writable directories are owned by any account other than root or an approved system account, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010710All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. 
  
 The only authorized public directories are the temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Investigate any world-writable directories that are not group-owned by a system account and then delete the files or assign them to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: 
  
@@ -2866,33 +2759,33 @@ $ sudo grep -r removal-action /etc/dconf/db/*
 
 /etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen'
 
-If the "removal-action='lock-screen'" setting is missing or commented out from the "dconf" database files, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL08-00-020060OL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. 
+If the "removal-action='lock-screen'" setting is missing or commented out from the "dconf" database files, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL08-00-020060OL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. 
  
 The session lock is implemented at the point where session activity can be determined and/or controlled.
 
-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000057CCI-000060Configure OL 8 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. 
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000057CCI-000060Configure OL 8 to initiate a screensaver after a 10-minute period of inactivity for graphical user interfaces. 
  
-Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: 
  
 $ sudo touch /etc/dconf/db/local.d/00-screensaver 
  
 Edit "/etc/dconf/db/local.d/00-screensaver" and add or update the following lines: 
  
 [org/gnome/desktop/session] 
-# Set the lock time out to 900 seconds before the session is considered idle 
-idle-delay=uint32 900 
+# Set the lock time out to 600 seconds before the session is considered idle 
+idle-delay=uint32 600 
  
 Update the system databases: 
  
-$ sudo dconf updateNote: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. 
+$ sudo dconf updateNote: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. 
  
-Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following commands: 
+Verify OL 8 initiates a session lock after a 10-minute period of inactivity for graphical user interfaces with the following commands: 
  
 $ sudo gsettings get org.gnome.desktop.session idle-delay 
  
-uint32 900 
+uint32 600 
  
-If "idle-delay" is set to "0" or a value greater than "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL08-00-020080OL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. 
+If "idle-delay" is set to "0" or a value greater than "600", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL08-00-020080OL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. 
  
 The session lock is implemented at the point where session activity can be determined and/or controlled. 
  
@@ -3478,17 +3371,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
 
 $ sudo grep -i nullok /etc/pam.d/password-auth
 
-If output is produced, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-020340OL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000052Configure OL 8 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
- 
-Add the following line to the top of "/etc/pam.d/postlogin": 
- 
-session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred with the following command: 
- 
-$ sudo grep pam_lastlog /etc/pam.d/postlogin 
- 
-session required pam_lastlog.so showfailed 
- 
-If "pam_lastlog" is missing from the "/etc/pam.d/postlogin" file or the silent option is present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-020350OL 8 must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example). Note that this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor. 
+If output is produced, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-020350OL 8 must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example). Note that this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor. 
  
 Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: 
  
@@ -3545,31 +3428,31 @@ $ sudo  grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
 /etc/profile: umask 077
 /etc/profile: umask 077
 
-If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>OL08-00-030000The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
+If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>OL08-00-030000The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
 
-Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002233CCI-002234Configure OL 8 to audit the execution of the "execve" system call. 
+Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002233CCI-002234Configure OL 8 to audit the execution of the "execve" system call. 
  
 Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": 
  
--a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 key=execpriv 
  
--a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 key=execpriv
  
 The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: 
  
-$ sudo service auditd restartVerify OL 8 audits the execution of privileged functions. 
+$ sudo service auditd restartVerify OL 8 audits the execution of privileged functions. 
  
 Check if OL 8 is configured to audit the execution of the "execve" system call, by running the following command: 
  
 $ sudo grep execve /etc/audit/audit.rules 
  
--a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 key=execpriv 
  
--a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 key=execpriv
  
 If the command does not return all lines or the lines are commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-030010Cron logging must be implemented in OL 8.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the "/etc/rsyslog.d/" directory: 
  
@@ -5562,7 +5445,7 @@ rich rules:
  
 Ask the System Administrator for the site or program PPSM Component Local Service Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.  
  
-If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>OL08-00-040070The OL 8 file system automounter must be disabled unless required.<VulnDiscussion>Verify the operating system disables the ability to automount devices. 
+If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>OL08-00-040070The OL 8 file system automounter must be disabled.<VulnDiscussion>Verify the operating system disables the ability to automount devices. 
  
 Determine if automounter service is active with the following command: 
  
@@ -5572,14 +5455,12 @@ autofs.service - Automounts filesystems on demand
 Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) 
 Active: inactive (dead) 
  
-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000778Configure OL 8 to disable the ability to automount devices. 
- 
-Turn off the automount service with the following commands: 
- 
-$ sudo systemctl stop autofs 
-$ sudo systemctl disable autofs 
- 
-If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the operating system disables the ability to automount devices. 
+If the "autofs" status is set to "active" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000778Configure OL 8 to disable the ability to automount devices.
+
+Turn off the automount service with the following commands:
+
+$ sudo systemctl stop autofs
+$ sudo systemctl disable autofsVerify OL 8 disables the ability to automount devices. 
  
 Determine if the automounter service is active with the following command: 
  
@@ -5589,7 +5470,7 @@ autofs.service - Automounts filesystems on demand
 Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) 
 Active: inactive (dead) 
  
-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>OL08-00-040080OL 8 must be configured to disable the ability to use USB mass storage devices.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000778CCI-003959Configure OL 8 to disable the ability to use the USB Storage kernel module and to use USB mass storage devices.
+If the "autofs" status is set to "active" this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>OL08-00-040080OL 8 must be configured to disable the ability to use USB mass storage devices.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000778CCI-003959Configure OL 8 to disable the ability to use the USB Storage kernel module and to use USB mass storage devices.
 
      $ sudo vi /etc/modprobe.d/blacklist.conf
 
@@ -6277,17 +6158,22 @@ $ sudo grep logout /etc/dconf/db/local.d/*
  
 logout='' 
  
-If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040172OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: 
- 
-CtrlAltDelBurstAction=none 
- 
-Reload the daemon for this change to take effect: 
- 
-$ sudo systemctl daemon-reloadVerify OL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: 
- 
-$ sudo grep -i ctrl /etc/systemd/system.conf 
+If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040172OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file:
+
+If no drop file exists, create one with the following command:
+
+$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction
+
+Edit the file to contain the setting by adding the following text:
+
+CtrlAltDelBurstAction=none
+
+Reload the daemon for this change to take effect.
+
+$ sudo systemctl daemon-reloadVerify OL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: 
  
-CtrlAltDelBurstAction=none 
+$ sudo grep -iR CtrlAltDelBurstAction /etc/systemd/system*
+/etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction:CtrlAltDelBurstAction=none
  
 If the "CtrlAltDelBurstAction" is not set to "none" or is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040180OL 8 must disable the debug-shell systemd service.<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to mask the "debug-shell systemd" service with the following command: 
  
@@ -6319,825 +6205,478 @@ If the account is associated with system commands or applications, change the UI
  
 $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd 
  
-If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040209OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040209OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent IPv4 ICMP redirect messages from being accepted.
 
-$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.accept_redirects = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.accept_redirects=0Verify OL 8 will not accept IPv4 ICMP redirect messages.
+$ sudo sysctl --systemVerify OL 8 will not accept IPv4 ICMP redirect messages.
 
 Check the value of the default "accept_redirects" variables with the following command:
 
-$ sudo sysctl net.ipv4.conf.default.accept_redirects
-
+$ sysctl net.ipv4.conf.default.accept_redirects
 net.ipv4.conf.default.accept_redirects = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040210OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040210OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent IPv6 ICMP redirect messages from being accepted.
 
-$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations:
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.default.accept_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.default.accept_redirects=0Verify OL 8 will not accept IPv6 ICMP redirect messages.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-Note: IPv6 is disabled on the system, this requirement is Not Applicable.
+Verify OL 8 will not accept IPv6 ICMP redirect messages.
 
 Check the value of the default "accept_redirects" variables with the following command:
 
-$ sudo sysctl net.ipv6.conf.default.accept_redirects
-
+$ sysctl net.ipv6.conf.default.accept_redirects
 net.ipv6.conf.default.accept_redirects = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0
-
-If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040220OL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. 
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040220OL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. 
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects.
 
-$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.send_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.all.send_redirects=0Verify OL 8 does not send IPv4 ICMP redirect messages.
+$ sudo sysctl --systemVerify OL 8 does not IPv4 ICMP redirect messages.
 
 Check the value of the "all send_redirects" variables with the following command:
 
-$ sudo sysctl net.ipv4.conf.all.send_redirects
-
+$ sysctl net.ipv4.conf.all.send_redirects
 net.ipv4.conf.all.send_redirects = 0
 
-If the returned line does not have a value of "0" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0
-
-If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040230OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. 
+If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040230OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. 
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
 
-$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.icmp_echo_ignore_broadcasts = 1
 
-If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.icmp_echo_ignore_broadcasts=1Verify OL 8 does not respond to ICMP echoes sent to a broadcast address.
+$ sudo sysctl --systemVerify OL 8 does not respond to ICMP echoes sent to a broadcast address.
 
 Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command:
 
-$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts
-
+$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 
-If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1
+If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040239OL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040239OL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv4 source-routed packets with the following command:
-
-$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
-
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
-
-net.ipv4.conf.all.accept_source_route=0Verify OL 8 does not accept IPv4 source-routed packets.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to ignore IPv4 source-routed packets.
 
-Check the value of the accept source route variable with the following command:
-
-$ sudo sysctl net.ipv4.conf.all.accept_source_route
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
 net.ipv4.conf.all.accept_source_route = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
+Load settings from all system configuration files with the following command:
 
-$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+$ sudo sysctl --systemVerify OL 8 will not accept IPv4 source-routed packets.
 
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0
+Check the value of the all "accept_source_route" variables with the following command:
 
-If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
+$ sysctl net.ipv4.conf.all.accept_source_route
+net.ipv4.conf.all.accept_source_route = 0
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040240OL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040240OL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv6 source-routed packets with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv6 source-routed packets.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_source_route = 0
 
-If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_source_route=0Verify OL 8 does not accept IPv6 source-routed packets.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
+Verify OL 8 does not accept IPv6 source-routed packets.
 
 Check the value of the accept source route variable with the following command:
 
-$ sudo sysctl net.ipv6.conf.all.accept_source_route
-
+$ sysctl net.ipv6.conf.all.accept_source_route
 net.ipv6.conf.all.accept_source_route = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0
-
-If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040249OL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040249OL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv4 source-routed packets by default with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv4 source-routed packets by default.
 
-$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.accept_source_route = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.accept_source_route=0Verify OL 8 does not accept IPv4 source-routed packets by default.
+$ sudo sysctl --systemVerify OL 8 does not accept IPv4 source-routed packets by default.
 
 Check the value of the accept source route variable with the following command:
 
-$ sudo sysctl net.ipv4.conf.default.accept_source_route
-
+$ sysctl net.ipv4.conf.default.accept_source_route
 net.ipv4.conf.default.accept_source_route = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040250OL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040250OL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv6 source-routed packets by default with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not forward IPv6 source-routed packets by default.
 
-$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.default.accept_source_route = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.default.accept_source_route=0Verify OL 8 does not accept IPv6 source-routed packets by default.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
+Verify OL 8 does not accept IPv6 source-routed packets by default.
 
 Check the value of the accept source route variable with the following command:
 
-$ sudo sysctl net.ipv6.conf.default.accept_source_route
-
+$ sysctl net.ipv6.conf.default.accept_source_route
 net.ipv6.conf.default.accept_source_route = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040260OL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
 
-$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0
-
-If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040260OL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow IPv6 packet forwarding unless the system is a router with the following command:
-
-$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
-
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-If "0" is not the system's default value, add or update the following lines in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
-
-net.ipv6.conf.all.forwarding=0Verify OL 8 is not performing IPv6 packet forwarding unless the system is a router.
-
-Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow IPv6 packet forwarding unless the system is a router.
 
-Determine if IPv6 forwarding is disabled using the following commands:
-
-$ sudo sysctl net.ipv6.conf.all.forwarding
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
 net.ipv6.conf.all.forwarding = 0
 
-If the IPv6 forwarding value is "1" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+Load settings from all system configuration files with the following command:
 
-Check that the configuration files are present to enable this network parameter.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+Verify OL 8 is not performing IPv6 packet forwarding, unless the system is a router.
 
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0
+Check that IPv6 forwarding is disabled using the following commands:
 
-If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
+$ sysctl net.ipv6.conf.all.forwarding
+net.ipv6.conf.all.forwarding = 0
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040261OL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
+If the IPv6 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040261OL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
  
 An illicit router advertisement message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to not accept router advertisements on all IPv6 interfaces unless the system is a router with the following commands:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations:
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_ra = 0
 
-If "0" is not the system's default value, add or update the following lines in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_ra=0Verify OL 8 does not accept router advertisements on all IPv6 interfaces unless the system is a router.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-Note: If IPv6 is disabled on the system, this requirement is not applicable.
+Verify OL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
 
 Determine if router advertisements are not accepted by using the following command:
 
-$ sudo sysctl net.ipv6.conf.all.accept_ra
-
+$ sysctl net.ipv6.conf.all.accept_ra
 net.ipv6.conf.all.accept_ra = 0
 
-If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0
-
-If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040262OL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
+If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040262OL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
  
 An illicit router advertisement message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to not accept router advertisements on all IPv6 interfaces by default, unless the system is a router, with the following commands:
-
-$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
-
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-If "0" is not the system's default value, add or update the following lines in the appropriate file under "/etc/sysctl.d":
-
-net.ipv6.conf.default.accept_ra=0Verify OL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
-
-Note: If IPv6 is disabled on the system, this requirement is not applicable.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
 
-Determine if router advertisements are not accepted by using the following command:
-
-$ sudo sysctl net.ipv6.conf.default.accept_ra
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
 net.ipv6.conf.default.accept_ra = 0
 
-If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+Load settings from all system configuration files with the following command:
 
-Check that the configuration files are present to enable this network parameter.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+Verify OL 8 does not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
 
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0
+Determine if router advertisements are not accepted by default by using the following command:
 
-If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding.
+$ sysctl net.ipv6.conf.default.accept_ra
+net.ipv6.conf.default.accept_ra = 0
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040270OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
+If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040270OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects by default.
 
-$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.send_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.send_redirects=0Verify OL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
+$ sudo sysctl --systemVerify OL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
 
 Check the value of the "default send_redirects" variables with the following command:
 
-$ sudo sysctl net.ipv4.conf.default.send_redirects
-
+$ sysctl net.ipv4.conf.default.send_redirects
 net.ipv4.conf.default.send_redirects=0
 
-If the returned line does not have a value of "0" or a line is not returned, this is a finding.
+If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040279OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0
-
-If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040279OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to ignore IPv4 ICMP redirect messages with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to ignore IPv4 ICMP redirect messages.
 
-$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
-
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
-
-net.ipv4.conf.all.accept_redirects = 0Verify OL 8 ignores IPv4 ICMP redirect messages.
-
-Check the value of the "accept_redirects" variables with the following command:
-
-$ sudo sysctl net.ipv4.conf.all.accept_redirects
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
 net.ipv4.conf.all.accept_redirects = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
+Load settings from all system configuration files with the following command:
 
-$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+$ sudo sysctl --systemVerify OL 8 will not accept IPv4 ICMP redirect messages.
 
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0
+Check the value of all "accept_redirects" variables with the following command:
 
-If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
+$ sysctl net.ipv4.conf.all.accept_redirects
+net.ipv4.conf.all.accept_redirects = 0
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040280OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040280OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to ignore IPv6 ICMP redirect messages with the following command:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to ignore IPv6 ICMP redirect messages.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_redirects = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_redirects = 0Verify OL 8 ignores IPv6 ICMP redirect messages.
+$ sudo sysctl --systemNote: If IPv6 is disabled on the system, this requirement is Not Applicable.
 
-Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
+Verify OL 8 ignores IPv6 ICMP redirect messages.
 
 Check the value of the "accept_redirects" variables with the following command:
 
-$ sudo sysctl net.ipv6.conf.all.accept_redirects
-
+$ sysctl net.ipv6.conf.all.accept_redirects
 net.ipv6.conf.all.accept_redirects = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040281OL 8 must disable access to the network "bpf" syscall from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0
-
-If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040281OL 8 must disable access to the network "bpf" syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to prevent privilege escalation through the kernel by disabling access to the "bpf" syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
-kernel.unprivileged_bpf_disabled = 1
-
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+kernel.nonprivileged_bpf_disabled = 1
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify OL 8 prevents privilege escalation through the kernel by disabling access to the "bpf" syscall with the following commands: 
- 
-$ sudo sysctl kernel.unprivileged_bpf_disabled 
- 
-kernel.unprivileged_bpf_disabled = 1 
- 
-If the returned line does not have a value of "1" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+$ sudo sysctl --systemVerify OL 8 prevents privilege escalation thru the kernel by disabling access to the bpf system call with the following commands:
 
-/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1
+$ sysctl kernel.nonprivileged_bpf_disabled
+kernel.nonprivileged_bpf_disabled = 1
 
-If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding.
+If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040282OL 8 must restrict the use of "ptrace" to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040282OL 8 must restrict the use of "ptrace" to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to restrict the use of "ptrace" to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to restrict usage of ptrace to descendant processes by adding the following line to "/etc/sysctl.d/99-sysctl.conf":
 
 kernel.yama.ptrace_scope = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify OL 8 restricts the use of "ptrace" to descendant processes with the following commands: 
- 
-$ sudo sysctl kernel.yama.ptrace_scope 
- 
-kernel.yama.ptrace_scope = 1 
- 
-If the returned line does not have a value of "1" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
+$ sudo sysctl --systemVerify OL 8 restricts usage of ptrace to descendant processes with the following commands:
 
-$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1
-
-If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding.
+$ sysctl kernel.yama.ptrace_scope
+kernel.yama.ptrace_scope = 1
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040283OL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040283OL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to prevent the leak of kernel pointers to nonprivileged users.
 
-kernel.kptr_restrict = 1
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --systemVerify OL 8 restricts exposed kernel pointer addresses access with the following commands:
- 
-$ sudo sysctl kernel.kptr_restrict 
- 
-kernel.kptr_restrict = 1 
- 
-If the returned line does not have a value of "1" or "2" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
+kernel.kptr_restrict = 1
 
-/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1
+Reload settings from all system configuration files with the following command:
 
-If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding.
+$ sudo sysctl --systemVerify OL 8 restricts access to exposed kernel pointers with the following command:
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040284OL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
+$ sysctl kernel.kptr_restrict 
+kernel.kptr_restrict = 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040284OL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
 
-User namespaces are used primarily for Linux containers. "Rootful" containers run with root privileges on the host system and may pose a security risk if compromised. "Rootless" containers run without root privileges and allow for better isolation from the host system. The value "0" disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When privileged user namespaces or "rootful" containers are in use, user namespaces should be disallowed. When unprivileged user namespaces or "rootless" containers are deployed on a system, the value should be set to a large non-zero value. The default value depends on the amount of memory in the system, approximately the total memory in kilobytes divided by 256.
+User namespaces are used primarily for Linux containers. "Rootful" containers run with root privileges on the host system and may pose a security risk if compromised. "Rootless" containers run without root privileges and allow for better isolation from the host system. The value "0" disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When privileged user namespaces or "rootful" containers are in use, user namespaces should be disallowed. When nonprivileged user namespaces or "rootless" containers are deployed on a system, the value should be set to a large nonzero value. The default value depends on the amount of memory in the system, approximately the total memory in kilobytes divided by 256.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
-     user.max_user_namespaces = 0
+Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. 
 
-Remove any configurations that conflict with the above from the following locations: 
-
-     /run/sysctl.d/*.conf
-     /usr/local/lib/sysctl.d/*.conf
-     /usr/lib/sysctl.d/*.conf
-     /lib/sysctl.d/*.conf
-     /etc/sysctl.conf
-     /etc/sysctl.d/*.conf
+user.max_user_namespaces = 0
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-     $ sudo sysctl --systemVerify OL 8 disables the use of user namespaces with the following commands. 
- 
-Note: If unprivileged user namespaces or "rootless" containers are in use, this requirement is not applicable.
- 
-     $ sudo sysctl user.max_user_namespaces 
-     user.max_user_namespaces = 0 
- 
-If the returned line does not have a value of "0" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
+$ sudo sysctl --systemNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable.
 
-     $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-     /etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0
+Verify OL 8 disables the use of user namespaces with the following commands:
 
-If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding.
+$ sysctl user.max_user_namespaces
+user.max_user_namespaces = 0
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040285OL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
+If the returned line does not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040285OL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 Enabling reverse path filtering drops packets with source addresses that are not routable. There is no equivalent filter for IPv6 traffic.
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the system to use reverse path filtering on all IPv4 interfaces by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to use reverse path filtering on all IPv4 interfaces. 
 
-net.ipv4.conf.all.rp_filter = 1
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.rp_filter = 1
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify OL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: 
- 
-$ sudo sysctl net.ipv4.conf.all.rp_filter 
- 
-net.ipv4.conf.all.rp_filter = 1 
- 
-If the returned line does not have a value of "1" or "2" or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1
+$ sudo sysctl --systemVerify OL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
 
-If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding.
+$ sysctl net.ipv4.conf.all.rp_filter
+net.ipv4.conf.all.rp_filter = 1
 
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040286OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040286OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
 Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the "/etc/sysctl.d" directory:
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
 net.core.bpf_jit_harden = 2
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify OL 8 enables hardening for the BPF JIT with the following commands:
+$ sudo sysctl --systemVerify OL 8 enables hardening for the BPF JIT with the following commands:
 
 $ sudo sysctl net.core.bpf_jit_harden
-
 net.core.bpf_jit_harden = 2
 
-If the returned line does not have a value of "2", or a line is not returned, this is a finding.
-
-Check that the configuration files are present to enable this network parameter.
-
-$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2
-
-If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040290OL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay to send spam or for other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: 
+If the returned line does not have a value of "2", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040290OL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay to send spam or for other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: 
  
 $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. 
  
@@ -7559,49 +7098,30 @@ Check for the use of the "pwquality" retry option in the system-auth and passwor
 
 $ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry
 
-If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040259OL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
+If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040259OL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
 
-The sysctl --system command will load settings from all system configuration files.  All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files.  All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
 /usr/lib/sysctl.d/*.conf
 /lib/sysctl.d/*.conf
-/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow IPv4 packet forwarding unless the system is a router.
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to not allow IPv4 packet forwarding unless the system is a router.
 
-Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.forwarding=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.forwarding = 0
 
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify OL 8 is not performing IPv4 packet forwarding, unless the system is a router.
+$ sudo sysctl --systemVerify OL 8 is not performing IPv4 packet forwarding, unless the system is a router.
 
 Check that IPv4 forwarding is disabled using the following command:
 
-$ sudo sysctl net.ipv4.conf.all.forwarding
-
+$ sysctl net.ipv4.conf.all.forwarding
 net.ipv4.conf.all.forwarding = 0
 
-If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-
-Check that the configuration files are present to enable this network parameter:
-
-$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
-
-/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0
-
-If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
-
-If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040321The graphical display manager must not be the default target on OL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
+If the IPv4 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040321The graphical display manager must not be the default target on OL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
 
 Open an SSH session and enter the following commands:
 
@@ -7679,27 +7199,36 @@ Verify that the "mailx" package is installed on the system:
 
      mailx.x86_64     12.5-29.el8     @ol8_baseos_latest
 	 
-If "mailx" package is not installed, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>OL08-00-020035OL 8 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001133Configure OL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:
+If "mailx" package is not installed, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>OL08-00-020035OL 8 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001133Configure OL 8 to log out idle sessions.
 
-     StopIdleSessionSec=900
+Create the directory if necessary:
 
-The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command:
+$ mkdir -p /etc/systemd/logind.conf.d/
 
-     $ sudo systemctl restart systemd-logindVerify that OL 8 logs out sessions that are idle for 15 minutes with the following command:
+Create a *.conf file in /etc/systemd/logind.conf.d/ with the following content:
 
-     $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf
+[Login]
+StopIdleSessionSec=600
+KillUserProcesses=no
 
-     StopIdleSessionSec=900
+Restart systemd-logind:
 
-If "StopIdleSessionSec" is not configured to 900 seconds, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>OL08-00-030645OL 8  must audit any script or executable called by cron as root or by any privileged user.<VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user and must have the permissions 755 or more restrictive and should have no extended rights that allow any nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000172Configure OL 8 to audit the execution of any system call made by cron as root or as any privileged user.
+$ systemctl restart systemd-logindVerify OL 8 logs out sessions that are idle for 10 minutes with the following command:
+
+$ systemd-analyze cat-config systemd/logind.conf | grep StopIdleSessionSec
+
+#StopIdleSessionSec=infinity
+StopIdleSessionSec=600
+
+If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>OL08-00-030645OL 8  must audit any script or executable called by cron as root or by any privileged user.<VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user and must have the permissions 755 or more restrictive and should have no extended rights that allow any nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000172Configure OL 8 to audit the execution of any system call made by cron as root or as any privileged user.
 
 Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
-auditctl -w /etc/cron.d/ -p wa -k cronjobs
-auditctl -w /var/spool/cron/ -p wa -k cronjobs
+-w /etc/cron.d/ -p wa -k cronjobs
+-w /var/spool/cron/ -p wa -k cronjobs
 
 To load the rules to the kernel immediately, use the following command:
 
-$ sudo augenrules --loadVerify that OL 8 is configured to audit the execution of any system call made by cron as root or as any privileged user.
+$ sudo augenrules --loadVerify OL 8 is configured to audit the execution of any system call made by cron as root or as any privileged user.
 
 $ sudo auditctl -l | grep /etc/cron.d
 -w /etc/cron.d -p wa -k cronjobs
@@ -7707,4 +7236,18 @@ $ sudo auditctl -l | grep /etc/cron.d
 $ sudo auditctl -l | grep /var/spool/cron
 -w /var/spool/cron -p wa -k cronjobs
 
-If either of these commands do not return the expected output, or the lines are commented out, this is a finding.
\ No newline at end of file
+If either of these commands do not return the expected output, or the lines are commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>OL08-00-020040OL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001133Configure OL 8 to exit interactive command shell user sessions after 10 minutes of inactivity.
+
+Add or edit the following line in "/etc/profile.d/tmout.sh":
+
+#!/bin/bash
+
+declare -xr TMOUT=600Verify OL 8 is configured to exit interactive command shell user sessions after 10 minutes of inactivity or less with the following command:
+
+$ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh
+
+/etc/profile.d/tmout.sh:declare -xr TMOUT=600
+
+If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.
\ No newline at end of file
diff --git a/shared/references/disa-stig-ol8-v2r6-xccdf-scap.xml b/shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml
similarity index 93%
rename from shared/references/disa-stig-ol8-v2r6-xccdf-scap.xml
rename to shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml
index 580258380465..830a6defd592 100644
--- a/shared/references/disa-stig-ol8-v2r6-xccdf-scap.xml
+++ b/shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml
@@ -1,36 +1,36 @@
 
-
-  
+
+  
     
-      
+      
         
-          
+          
         
       
     
     
-      
+      
         
-          
+          
         
       
     
     
-      
-      
+      
+      
     
   
-  
+  
     
       
         Oracle Linux 8
-        oval:mil.disa.stig.ol8os:def:1
+        oval:mil.disa.stig.ol8os:def:1
       
     
   
-  
+  
     
-      accepted
+      accepted
       Oracle Linux 8 STIG SCAP Benchmark
       This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
       
@@ -40,97 +40,109 @@
         DISA
         STIG.DOD.MIL
       
-      Benchmark Date: 01 Oct 2025
-      3.5.1
+      Benchmark Date: 05 Jan 2026
+      3.5.2
       1.10.0
       
         
           Linux krb5 workstation 1.17 or higher is not installed
           
-            
+            
           
         
         
           Oracle Linux 8.3 or Lower
           
-            
+            
           
         
         
           Linux krb5 server 1.17 or higher is not installed
           
-            
+            
           
         
         
           Oracle Linux 8.2 or Higher
           
-            
+            
+          
+        
+        
+          Linux with NFS mounts configured
+          
+            
           
         
         
           Linux IPv6 Enabled
           
-            
+            
           
         
         
           Linux BIOS Boot
           
-            
+            
           
         
         
           Gnome-shell Package
           
-            
+            
+          
+        
+        
+          Linux with no NFS mounts configured
+          
+            
           
         
         
           Linux UEFI Boot
           
-            
+            
           
         
         
           Linux with TFTP installed
           
-            
+            
           
         
         
           Oracle Linux 8.1 or Lower
           
-            
+            
           
         
         
           Linux UEFI system with boot partition file type other than VFAT
           
-            
+            
           
         
         
           Kernel dumps are enabled
           
-            
+            
           
         
         
           Linux with postfix installed
           
-            
+            
           
         
         
           Linux with autofs installed
           
-            
+            
           
         
       
       
-      002.006
+      002.007
       
         DISA
         DISA
@@ -269,7 +281,6 @@
         
         
         
-        
         
         
         
@@ -558,7 +569,6 @@
         
         
         
-        
         
         
         
@@ -847,7 +857,6 @@
         
         
         
-        
         
         
         
@@ -1136,7 +1145,6 @@
         
         
         
-        
         
         
         
@@ -1425,7 +1433,6 @@
         
         
         
-        
         
         
         
@@ -1714,7 +1721,6 @@
         
         
         
-        
         
         
         
@@ -2003,7 +2009,6 @@
         
         
         
-        
         
         
         
@@ -2292,7 +2297,6 @@
         
         
         
-        
         
         
         
@@ -2581,7 +2585,6 @@
         
         
         
-        
         
         
         
@@ -2759,20 +2762,21 @@
         
         
         
-        
         
         
         
-        
         
-        
+        
+        
         
         
         
         
         
+        
         
         
+        
         
         
         
@@ -2804,10 +2808,12 @@
         
         
         
-        
+        
+        
         
         
         
+        
         
         
         
@@ -2816,8 +2822,12 @@
         
         
         
+        
         
+        
+        
         
+        
         
         
         
@@ -2826,46 +2836,44 @@
         
         
         
-        
         
         
         
         
-        
         
         
         
         
         
         
-        
         
         
-        
         
+        
         
-        
         
         
+        
         
+        
         
         
+        
         
         
-        
         
         
         
         
         
         
-        
         
         
         
+        
         
         
-        
+        
         
         
         
@@ -2873,11 +2881,10 @@
         
         
         
-        
-        
         
         
         
+        
         
         
         
@@ -2886,11 +2893,9 @@
         
         
         
-        
         
         
         
-        
         
         
         
@@ -2902,9 +2907,10 @@
         
         
         
+        
         
         
-        
+        
         
         
         
@@ -2915,19 +2921,12 @@
         
         
         
-        
         
-        
-        
         
-        
-        
         
-        
-        
         
-        
         
+        
         
         
         
@@ -2935,24 +2934,25 @@
         
         
         
-        
+        
+        
         
+        
         
         
-        
+        
         
-        
         
-        
-        
-        
         
         
+        
         
+        
         
         
+        
+        
         
-        
         
         
         
@@ -2960,9 +2960,8 @@
         
         
         
-        
-        
-        
+        
+        
         
         
         
@@ -2975,17 +2974,19 @@
         
         
         
+        
         
         
         
         
         
+        
         
-        
-        
         
         
+        
         
+        
         
         
         
@@ -2993,15 +2994,17 @@
         
         
         
-        
         
         
         
         
+        
+        
+        
         
         
+        
         
-        
         
         
         
@@ -3010,11 +3013,10 @@
         
         
         
-        
         
         
-        
-        
+        
+        
         
         
       
@@ -3070,7 +3072,7 @@ Install the audit service (if the audit service is not already installed) with t
 $ sudo yum install audit
           
           
-            
+            
           
         
       
@@ -3127,19 +3129,25 @@ $ sudo systemctl enable auditd.service
 $ sudo systemctl start auditd.service
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010000
           OL 8 must be a vendor-supported release.
-          <VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. 
+          <VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DOD that reflects the most restrictive security posture consistent with operational requirements. 
  
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
+
+End Of Life dates for Oracle Linux 8 releases are as follows:
+Current end of Premier Support for Oracle Linux 8 is July 2029.
+Current end of Extended Support for Oracle Linux 8 is July 2032. 
+
+Each minor version reaches end of life when the new version is released.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -3151,7 +3159,7 @@ Configuration settings are the set of parameters that can be changed in hardware
           Upgrade to a supported version of the operating system.
           
           
-            
+            
           
         
       
@@ -3192,7 +3200,7 @@ Enable FIPS mode after installation (not strict FIPS-compliant) with the followi
 Reboot the system for the changes to take effect.
           
           
-            
+            
           
         
       
@@ -3240,7 +3248,7 @@ Run the following command to update the database:
 $ sudo dconf update
           
           
-            
+            
           
         
       
@@ -3276,7 +3284,7 @@ The "rsyslog" service must be restarted for the changes to take effect. To resta
 $ sudo systemctl restart rsyslog.service
           
           
-            
+            
           
         
       
@@ -3307,7 +3315,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M
 ENCRYPT_METHOD SHA512
           
           
-            
+            
           
         
       
@@ -3332,7 +3340,7 @@ Passwords need to be protected at all times, and encryption is the standard meth
           Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
           
           
-            
+            
           
         
       
@@ -3361,14 +3369,14 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_
 SHA_CRYPT_MIN_ROUNDS 100000
           
           
-            
+            
           
         
       
       
         SRG-OS-000080-GPOS-00048
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010140
           OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
           <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3390,14 +3398,14 @@ Enter password:
 Confirm password:
           
           
-            
+            
           
         
       
       
         SRG-OS-000080-GPOS-00048
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010150
           OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
           <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3419,14 +3427,14 @@ Enter password:
 Confirm password:
           
           
-            
+            
           
         
       
       
         SRG-OS-000080-GPOS-00048
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010151
           OL 8 operating systems must require authentication upon booting into rescue mode.
           <VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3443,14 +3451,14 @@ Confirm password:
 ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
           
           
-            
+            
           
         
       
       
         SRG-OS-000080-GPOS-00048
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010152
           OL 8 operating systems must require authentication upon booting into emergency mode.
           <VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3467,7 +3475,7 @@ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
 ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
           
           
-            
+            
           
         
       
@@ -3497,7 +3505,7 @@ Edit/modify the following line in the "/etc/pam.d/system-auth" file to include t
 password sufficient pam_unix.so sha512
           
           
-            
+            
           
         
       
@@ -3527,7 +3535,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include
 password sufficient pam_unix.so sha512
           
           
-            
+            
           
         
       
@@ -3559,7 +3567,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
 Remove any files with the .keytab extension from the operating system.
           
           
-            
+            
           
         
       
@@ -3590,7 +3598,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
 $ sudo yum remove krb5-workstation
           
           
-            
+            
           
         
       
@@ -3621,7 +3629,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
 $ sudo yum remove krb5-server
           
           
-            
+            
           
         
       
@@ -3653,7 +3661,7 @@ SELINUX=enforcing
 A reboot is required for the changes to take effect.
           
           
-            
+            
           
         
       
@@ -3677,7 +3685,7 @@ A reboot is required for the changes to take effect.
 $ sudo yum install policycoreutils
           
           
-            
+            
           
         
       
@@ -3716,7 +3724,7 @@ For the changes to take effect, the SSH daemon must be restarted.
      $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -3755,7 +3763,7 @@ The SSH daemon must be restarted for changes to take effect.
      $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -3781,7 +3789,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chmod 0640 /var/log/messages
           
           
-            
+            
           
         
       
@@ -3807,7 +3815,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chown root /var/log/messages
           
           
-            
+            
           
         
       
@@ -3833,7 +3841,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chgrp root /var/log/messages
           
           
-            
+            
           
         
       
@@ -3859,7 +3867,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chmod 0755 /var/log
           
           
-            
+            
           
         
       
@@ -3885,7 +3893,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chown root /var/log
           
           
-            
+            
           
         
       
@@ -3911,7 +3919,7 @@ The structure and content of error messages must be carefully considered by the
 $ sudo chgrp root /var/log
           
           
-            
+            
           
         
       
@@ -3941,7 +3949,7 @@ SSH_USE_STRONG_RNG=32
 The SSH service must be restarted for changes to take effect.
           
           
-            
+            
           
         
       
@@ -3981,7 +3989,7 @@ DTLS.MinProtocol = DTLSv1.2
 A reboot is required for the changes to take effect.
           
           
-            
+            
           
         
       
@@ -4009,7 +4017,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod
 $ sudo chmod 755 [FILE]
           
           
-            
+            
           
         
       
@@ -4037,7 +4045,7 @@ Run the following command, replacing "[FILE]" with any system command file not o
 $ sudo chown root [FILE]
           
           
-            
+            
           
         
       
@@ -4065,7 +4073,7 @@ Run the following command, replacing "[FILE]" with any system command file not g
 $ sudo chgrp root [FILE]
           
           
-            
+            
           
         
       
@@ -4091,7 +4099,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
 $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
           
           
-            
+            
           
         
       
@@ -4117,7 +4125,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
 $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
           
           
-            
+            
           
         
       
@@ -4143,7 +4151,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
 $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
           
           
-            
+            
           
         
       
@@ -4172,7 +4180,7 @@ Verifying the authenticity of the software prior to installation validates the i
 gpgcheck=1
           
           
-            
+            
           
         
       
@@ -4203,14 +4211,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file:
 localpkg_gpgcheck=True
           
           
-            
+            
           
         
       
       
         SRG-OS-000312-GPOS-00122
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010373
           OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
           <VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
@@ -4219,7 +4227,7 @@ When DAC policies are implemented, subjects are not constrained as to what actio
 
 By enabling the "fs.protected_symlinks" kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -4234,33 +4242,25 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-002165
-          Configure OL 8 to enable DAC on symlinks.
+          Configure OL 8 to enable DAC on symlinks with the following:
 
 Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
 fs.protected_symlinks = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000312-GPOS-00122
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010374
           OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.
           <VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
@@ -4269,7 +4269,7 @@ When DAC policies are implemented, subjects are not constrained as to what actio
 
 By enabling the "fs.protected_hardlinks" kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -4284,44 +4284,36 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-002165
-          Configure OL 8 to enable DAC on hardlinks.
+          Configure OL 8 to enable DAC on hardlinks with the following:
 
 Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
 
 fs.protected_hardlinks = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000138-GPOS-00069
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010375
           OL 8 must restrict access to the kernel message buffer.
           <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
 
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
 
 There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
 
-Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.
+Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -4336,44 +4328,36 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-001090
-          Configure OL 8 to restrict access to the kernel message buffer.
+          Configure OL 8 to restrict access to the kernel message buffer.
 
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
 kernel.dmesg_restrict = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000138-GPOS-00069
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010376
-          OL 8 must prevent kernel profiling by unprivileged users.
+          OL 8 must prevent kernel profiling by nonprivileged users.
           <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. 
  
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. 
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. 
  
 There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
  
-Setting the "kernel.perf_event_paranoid" kernel parameter to "2" prevents attackers from gaining additional system information as a non-privileged user.
+Setting the "kernel.perf_event_paranoid" kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -4388,26 +4372,18 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-001090
-          Configure OL 8 to prevent kernel profiling by unprivileged users.
+          Configure OL 8 to prevent kernel profiling by nonprivileged users.
 
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
 kernel.perf_event_paranoid = 2
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 Load settings from all system configuration files with the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
@@ -4444,7 +4420,7 @@ $ sudo grep -ir nopasswd /etc/sudoers.d
 Remove any occurrences of "NOPASSWD" tags in the file.
           
           
-            
+            
           
         
       
@@ -4471,7 +4447,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
           Remove any occurrence of "!authenticate" found in the "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
           
           
-            
+            
           
         
       
@@ -4495,7 +4471,7 @@ ALL     ALL=(ALL) ALL
 ALL     ALL=(ALL:ALL) ALL
           
           
-            
+            
           
         
       
@@ -4525,7 +4501,7 @@ Remove any configurations that conflict with the above from the following locati
      /etc/sudoers.d/
           
           
-            
+            
           
         
       
@@ -4564,7 +4540,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0".
 Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.
           
           
-            
+            
           
         
       
@@ -4598,21 +4574,21 @@ This requirement only applies to components where this is specific to the functi
 $ sudo yum install  openssl-pkcs11
           
           
-            
+            
           
         
       
       
         SRG-OS-000433-GPOS-00193
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010430
           OL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-          <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. 
+          <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. 
  
 Examples of attacks are buffer overflow attacks.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -4627,26 +4603,18 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-002824
-          Configure OL 8 to implement virtual address space randomization. 
- 
-Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.d/*.conf" (or modify the line to have the required value): 
- 
-kernel.randomize_va_space=2 
- 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+          Configure OL 8 to implement ASLR to protect its memory from unauthorized code execution.
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+kernel.randomize_va_space = 2
+
+Reload settings from all system configuration files with the following command:
 
-Issue the following command to make the changes take effect: 
- 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
@@ -4672,7 +4640,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/yum.conf" f
 clean_requirements_on_remove=True
           
           
-            
+            
           
         
       
@@ -4702,7 +4670,7 @@ SELINUXTYPE=targeted
 A reboot is required for the changes to take effect.
           
           
-            
+            
           
         
       
@@ -4726,7 +4694,7 @@ A reboot is required for the changes to take effect.
 $ sudo rm /etc/ssh/shosts.equiv
           
           
-            
+            
           
         
       
@@ -4750,7 +4718,7 @@ $ sudo rm /etc/ssh/shosts.equiv
 $ sudo rm /[path]/[to]/[file]/.shosts
           
           
-            
+            
           
         
       
@@ -4776,7 +4744,7 @@ The rngd service feeds random data from hardware device to kernel random device.
 $ sudo yum install rng-tools
           
           
-            
+            
           
         
       
@@ -4804,7 +4772,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4832,7 +4800,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
      $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4862,7 +4830,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4881,7 +4849,7 @@ $ sudo systemctl restart sshd.service
             5416
           
           CCI-000366
-          Configure the SSH daemon to not allow authentication using known host’s authentication. 
+          Configure the SSH daemon to not allow authentication using known host's authentication. 
  
 Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": 
  
@@ -4892,7 +4860,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4922,7 +4890,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4952,7 +4920,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -4974,7 +4942,7 @@ $ sudo systemctl restart sshd.service
           Migrate the "/var" path onto a separate file system.
           
           
-            
+            
           
         
       
@@ -4996,7 +4964,7 @@ $ sudo systemctl restart sshd.service
           Migrate the "/var/log" path onto a separate file system.
           
           
-            
+            
           
         
       
@@ -5018,7 +4986,7 @@ $ sudo systemctl restart sshd.service
           Migrate the system audit data path onto a separate file system.
           
           
-            
+            
           
         
       
@@ -5040,7 +5008,7 @@ $ sudo systemctl restart sshd.service
           Migrate the "/tmp" directory onto a separate file system/partition.
           
           
-            
+            
           
         
       
@@ -5062,7 +5030,7 @@ $ sudo systemctl restart sshd.service
           Migrate the "/var/tmp" path onto a separate file system.
           
           
-            
+            
           
         
       
@@ -5093,7 +5061,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -5121,7 +5089,7 @@ $ sudo systemctl start rsyslog.service
 $ sudo systemctl enable rsyslog.service
           
           
-            
+            
           
         
       
@@ -5143,7 +5111,7 @@ $ sudo systemctl enable rsyslog.service
           Configure "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
           
           
-            
+            
           
         
       
@@ -5166,17 +5134,17 @@ $ sudo systemctl enable rsyslog.service
           Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010572
           OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5189,17 +5157,17 @@ $ sudo systemctl enable rsyslog.service
           Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010580
-          OL 8 must prevent special devices on non-root local partitions.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          OL 8 must prevent special devices on nonroot local partitions.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5208,20 +5176,20 @@ $ sudo systemctl enable rsyslog.service
             5416
           
           CCI-000366
-          Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.
-          
+          Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010630
           OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
-          <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5229,21 +5197,22 @@ $ sudo systemctl enable rsyslog.service
             Oracle Linux 8
             5416
           
+          
           CCI-000366
           Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010640
-          OL 8 file systems must not interpret character or block special devices that are imported via NFS.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          OL 8 file systems must not interpret character or block special devices that are imported via Network File System (NFS).
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5251,21 +5220,22 @@ $ sudo systemctl enable rsyslog.service
             Oracle Linux 8
             5416
           
+          
           CCI-000366
           Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010650
           OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5273,23 +5243,24 @@ $ sudo systemctl enable rsyslog.service
             Oracle Linux 8
             5416
           
+          
           CCI-000366
           Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010671
           OL 8 must disable the "kernel.core_pattern".
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -5304,38 +5275,32 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to disable storing core dumps by adding the following line to a file in the "/etc/sysctl.d" directory:
+          Configure OL 8 to disable storing core dumps.
 
-kernel.core_pattern = |/bin/false
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+kernel.core_pattern = |/bin/false
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010672
           OL 8 must disable acquiring, saving, and processing core dumps.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. 
  
-When the kernel invokes "systemd-coredump" to handle a core dump, it runs in privileged mode and will connect to the socket created by the "systemd-coredump.socket" unit. This, in turn, will spawn an unprivileged "systemd-coredump@.service" instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+When the kernel invokes "systemd-coredump" to handle a core dump, it runs in privileged mode and will connect to the socket created by the "systemd-coredump.socket" unit. This, in turn, will spawn an nonprivileged "systemd-coredump@.service" instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -5354,14 +5319,14 @@ $ sudo systemctl mask systemd-coredump.socket
 Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010673
           OL 8 must disable core dumps for all users.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
@@ -5376,21 +5341,23 @@ A core dump includes a memory image taken at the time the operating system termi
           
           
           CCI-000366
-          Configure OL 8 to disable core dumps for all users. 
- 
-Add the following line to the top of "/etc/security/limits.conf" or in a ".conf" file defined in "/etc/security/limits.d/": 
- 
-* hard core 0
-          
+          Configure OL 8 to disable core dumps for all users. 
+
+Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
+
+* hard core 0
+
+Remove or comment out any entries for users or groups with a value set to anything other than "0".
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010674
           OL 8 must disable storing core dumps.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
@@ -5412,14 +5379,14 @@ Add or modify the following line in "/etc/systemd/coredump.conf":
 Storage=none
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-010675
           OL 8 must disable core dump backtraces.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
@@ -5441,7 +5408,7 @@ Add or modify the following line in "/etc/systemd/coredump.conf":
 ProcessSizeMax=0
           
           
-            
+            
           
         
       
@@ -5471,7 +5438,7 @@ If local host resolution is being performed, the "/etc/resolv.conf" file must be
 $ sudo echo -n > /etc/resolv.conf
           
           
-            
+            
           
         
       
@@ -5493,7 +5460,7 @@ $ sudo echo -n > /etc/resolv.conf
           Assign home directories to all local interactive users on OL 8 that currently do not have a home directory assigned.
           
           
-            
+            
           
         
       
@@ -5519,7 +5486,7 @@ Note: The example will be for the user "smithj".
 $ sudo chmod 0750 /home/smithj
           
           
-            
+            
           
         
       
@@ -5543,7 +5510,7 @@ $ sudo chmod 0750 /home/smithj
 CREATE_HOME yes
           
           
-            
+            
           
         
       
@@ -5569,7 +5536,7 @@ Note: The example will be for the smithj user, who has a home directory of "/hom
 $ sudo chmod 0740 /home/smithj/.<INIT_FILE>
           
           
-            
+            
           
         
       
@@ -5591,7 +5558,7 @@ $ sudo chmod 0740 /home/smithj/.<INIT_FILE>
           Migrate the "/home" directory onto a separate file system.
           
           
-            
+            
           
         
       
@@ -5619,7 +5586,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se
 AutomaticLoginEnable=false
           
           
-            
+            
           
         
       
@@ -5649,7 +5616,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -5687,7 +5654,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -5721,7 +5688,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 deny = 3
           
           
-            
+            
           
         
       
@@ -5761,7 +5728,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -5795,7 +5762,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 fail_interval = 900
           
           
-            
+            
           
         
       
@@ -5835,7 +5802,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -5869,7 +5836,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 unlock_time = 0
           
           
-            
+            
           
         
       
@@ -5909,7 +5876,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -5943,7 +5910,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 silent
           
           
-            
+            
           
         
       
@@ -5983,7 +5950,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -6017,7 +5984,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 audit
           
           
-            
+            
           
         
       
@@ -6057,7 +6024,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
 $ sudo systemctl restart sssd.service
           
           
-            
+            
           
         
       
@@ -6091,7 +6058,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
 even_deny_root
           
           
-            
+            
           
         
       
@@ -6119,7 +6086,7 @@ Add the following line to the top of "/etc/security/limits.conf" or in a ".conf"
 * hard maxlogins 10
           
           
-            
+            
           
         
       
@@ -6153,7 +6120,7 @@ Update the system databases:
 $ sudo dconf update
           
           
-            
+            
           
         
       
@@ -6200,7 +6167,7 @@ Update the system databases:
 $ sudo dconf update
           
           
-            
+            
           
         
       
@@ -6242,7 +6209,7 @@ Add the following setting to prevent non-privileged users from modifying it:
 /org/gnome/desktop/screensaver/lock-delay
           
           
-            
+            
           
         
       
@@ -6284,7 +6251,7 @@ Add the following setting to prevent non-privileged users from modifying it:
 /org/gnome/desktop/screensaver/lock-enabled
           
           
-            
+            
           
         
       
@@ -6316,7 +6283,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
      password requisite pam_pwquality.so
           
           
-            
+            
           
         
       
@@ -6352,7 +6319,7 @@ ucredit = -1
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6385,7 +6352,7 @@ lcredit = -1
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6418,7 +6385,7 @@ dcredit = -1
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6451,7 +6418,7 @@ maxclassrepeat = 4
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6484,7 +6451,7 @@ maxrepeat = 3
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6517,7 +6484,7 @@ minclass = 4
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6550,7 +6517,7 @@ difok = 8
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6575,7 +6542,7 @@ Remove any configurations that conflict with the above value.
 $ sudo chage -m 1 [user]
           
           
-            
+            
           
         
       
@@ -6602,7 +6569,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ
 PASS_MIN_DAYS 1
           
           
-            
+            
           
         
       
@@ -6629,7 +6596,7 @@ Add or modify the following line in the "/etc/login.defs" file:
 PASS_MAX_DAYS 60
           
           
-            
+            
           
         
       
@@ -6654,7 +6621,7 @@ PASS_MAX_DAYS 60
 $ sudo chage -M 60 [user]
           
           
-            
+            
           
         
       
@@ -6687,7 +6654,7 @@ minlen = 15
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6718,7 +6685,7 @@ Add or modify the following line in the "/etc/login.defs" file:
 PASS_MIN_LEN 15
           
           
-            
+            
           
         
       
@@ -6750,7 +6717,7 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPO
           Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
           
           
-            
+            
           
         
       
@@ -6774,7 +6741,7 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPO
 $ sudo chmod 0750 /usr/bin/lastlog
           
           
-            
+            
           
         
       
@@ -6798,7 +6765,7 @@ $ sudo chmod 0750 /usr/bin/lastlog
 $ sudo chown root /usr/bin/lastlog
           
           
-            
+            
           
         
       
@@ -6822,7 +6789,7 @@ $ sudo chown root /usr/bin/lastlog
 $ sudo chgrp root /usr/bin/lastlog
           
           
-            
+            
           
         
       
@@ -6855,7 +6822,7 @@ ocredit = -1
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6883,7 +6850,7 @@ Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[
      offline_credentials_expiration = 1
           
           
-            
+            
           
         
       
@@ -6911,7 +6878,7 @@ dictcheck=1
 Remove any configurations that conflict with the above value.
           
           
-            
+            
           
         
       
@@ -6939,7 +6906,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr
 FAIL_DELAY 4
           
           
-            
+            
           
         
       
@@ -6967,7 +6934,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -6991,7 +6958,7 @@ $ sudo systemctl restart sshd.service
 Note: Manual changes to the listed file may be overwritten by the "authselect" program.
           
           
-            
+            
           
         
       
@@ -7015,33 +6982,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
 Note: Manual changes to the listed file may be overwritten by the "authselect" program.
           
           
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL08-00-020340
-          OL 8 must display the date and time of the last successful account logon upon logon.
-          <VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 8
-            DISA
-            DPMS Target
-            Oracle Linux 8
-            5416
-          
-          CCI-000052
-          Configure OL 8 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
- 
-Add the following line to the top of "/etc/pam.d/postlogin": 
- 
-session required pam_lastlog.so showfailed
-          
-          
-            
+            
           
         
       
@@ -7069,7 +7010,7 @@ PrintLastLog yes
 The SSH service must be restarted for changes to "sshd_config" to take effect.
           
           
-            
+            
           
         
       
@@ -7095,14 +7036,14 @@ Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example be
 UMASK 077
           
           
-            
+            
           
         
       
       
         SRG-OS-000326-GPOS-00126
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-030000
           The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
           <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
@@ -7117,22 +7058,22 @@ Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion
           
           CCI-002233
           CCI-002234
-          Configure OL 8 to audit the execution of the "execve" system call. 
+          Configure OL 8 to audit the execution of the "execve" system call. 
  
 Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": 
  
--a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 key=execpriv 
  
--a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv 
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 key=execpriv 
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 key=execpriv
  
 The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: 
  
 $ sudo service auditd restart
-          
+          
           
-            
+            
           
         
       
@@ -7162,7 +7103,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator
 action_mail_acct = root
           
           
-            
+            
           
         
       
@@ -7192,7 +7133,7 @@ Add/update the following line in "/etc/aliases":
 postmaster: root
           
           
-            
+            
           
         
       
@@ -7224,7 +7165,7 @@ disk_error_action = HALT
 If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
           
           
-            
+            
           
         
       
@@ -7258,7 +7199,7 @@ disk_full_action = HALT
 If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".
           
           
-            
+            
           
         
       
@@ -7286,7 +7227,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file:
 local_events = yes
           
           
-            
+            
           
         
       
@@ -7318,7 +7259,7 @@ name_format = hostname
 The audit daemon must be restarted for changes to take effect.
           
           
-            
+            
           
         
       
@@ -7348,7 +7289,7 @@ log_format = ENRICHED
 The audit daemon must be restarted for changes to take effect.
           
           
-            
+            
           
         
       
@@ -7380,7 +7321,7 @@ $ sudo chmod 0600 [audit_log_file]
 Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
           
           
-            
+            
           
         
       
@@ -7412,7 +7353,7 @@ $ sudo chown root [audit_log_file]
 Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
           
           
-            
+            
           
         
       
@@ -7444,7 +7385,7 @@ $ sudo chgrp root [audit_log_file]
 Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
           
           
-            
+            
           
         
       
@@ -7476,7 +7417,7 @@ $ sudo chown root [audit_log_directory]
 Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".
           
           
-            
+            
           
         
       
@@ -7508,7 +7449,7 @@ $ sudo chgrp root [audit_log_directory]
 Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".
           
           
-            
+            
           
         
       
@@ -7540,7 +7481,7 @@ $ sudo chmod 0700 [audit_log_directory]
 Replace "[audit_log_directory]" to the correct audit log directory path. By default, this location is "/var/log/audit".
           
           
-            
+            
           
         
       
@@ -7574,7 +7515,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
 Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.
           
           
-            
+            
           
         
       
@@ -7606,7 +7547,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
 --loginuid-immutable
           
           
-            
+            
           
         
       
@@ -7650,7 +7591,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7694,7 +7635,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7738,7 +7679,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7783,7 +7724,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7827,7 +7768,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7871,7 +7812,7 @@ The audit daemon must be restarted for the changes to take effect.
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7915,7 +7856,7 @@ The audit daemon must be restarted for the changes to take effect.
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -7953,7 +7894,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8003,7 +7944,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8041,7 +7982,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8079,7 +8020,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8117,7 +8058,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8155,7 +8096,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8193,7 +8134,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8231,7 +8172,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8270,7 +8211,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8308,7 +8249,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8346,7 +8287,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8384,7 +8325,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8416,7 +8357,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8448,7 +8389,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8480,7 +8421,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8518,7 +8459,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8556,7 +8497,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8594,7 +8535,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8632,7 +8573,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8670,7 +8611,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8708,7 +8649,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8749,7 +8690,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8795,7 +8736,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8833,7 +8774,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8872,7 +8813,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8910,7 +8851,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8948,7 +8889,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -8996,7 +8937,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9041,7 +8982,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9084,7 +9025,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9122,7 +9063,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9160,7 +9101,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9198,7 +9139,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9246,7 +9187,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9294,7 +9235,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
 $ sudo service auditd restart
           
           
-            
+            
           
         
       
@@ -9319,7 +9260,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/*.rules
 $ sudo chmod 0640 /etc/audit/auditd.conf
           
           
-            
+            
           
         
       
@@ -9349,7 +9290,7 @@ $ sudo chmod 0755 [audit_tool]
 Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.
           
           
-            
+            
           
         
       
@@ -9383,7 +9324,7 @@ $ sudo chown root [audit_tool]
 Replace "[audit_tool]" with each audit tool not owned by "root".
           
           
-            
+            
           
         
       
@@ -9417,7 +9358,7 @@ $ sudo chgrp root [audit_tool]
 Replace "[audit_tool]" with each audit tool not group-owned by "root".
           
           
-            
+            
           
         
       
@@ -9454,7 +9395,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
 $ sudo yum install rsyslog
           
           
-            
+            
           
         
       
@@ -9491,7 +9432,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
 $ sudo yum install rsyslog-gnutls
           
           
-            
+            
           
         
       
@@ -9523,7 +9464,7 @@ overflow_action = syslog
 The audit daemon must be restarted for changes to take effect.
           
           
-            
+            
           
         
       
@@ -9559,7 +9500,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion
 $ActionSendStreamDriverAuthMode x509/name
           
           
-            
+            
           
         
       
@@ -9583,7 +9524,7 @@ $ActionSendStreamDriverAuthMode x509/name
 space_left = 25%
           
           
-            
+            
           
         
       
@@ -9609,7 +9550,7 @@ space_left_action = email
 Note: Option names and values in the auditd.conf file are case insensitive.
           
           
-            
+            
           
         
       
@@ -9637,7 +9578,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc
      port 0
           
           
-            
+            
           
         
       
@@ -9665,7 +9606,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc
      cmdport 0
           
           
-            
+            
           
         
       
@@ -9699,7 +9640,7 @@ If a privileged user were to log on using this service, the privileged user pass
 $ sudo yum remove telnet-server
           
           
-            
+            
           
         
       
@@ -9729,7 +9670,7 @@ Verify the operating system is configured to disable non-essential capabilities.
 $ sudo yum remove abrt*
           
           
-            
+            
           
         
       
@@ -9759,7 +9700,7 @@ Verify the operating system is configured to disable non-essential capabilities.
 $ sudo yum remove sendmail
           
           
-            
+            
           
         
       
@@ -9798,7 +9739,7 @@ Add or update the line:
      blacklist atm
           
           
-            
+            
           
         
       
@@ -9836,7 +9777,7 @@ Add or update the line:
      blacklist can
           
           
-            
+            
           
         
       
@@ -9874,7 +9815,7 @@ Add or update the line:
      blacklist sctp
           
           
-            
+            
           
         
       
@@ -9907,7 +9848,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
 Reboot the system for the settings to take effect.
           
           
-            
+            
           
         
       
@@ -9940,7 +9881,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
 Reboot the system for the settings to take effect.
           
           
-            
+            
           
         
       
@@ -9971,16 +9912,16 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
 Reboot the system for the settings to take effect.
           
           
-            
+            
           
         
       
       
         SRG-OS-000114-GPOS-00059
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040070
-          The OL 8 file system automounter must be disabled unless required.
+          The OL 8 file system automounter must be disabled.
           <VulnDiscussion>Verify the operating system disables the ability to automount devices. 
  
 Determine if automounter service is active with the following command: 
@@ -9991,7 +9932,7 @@ autofs.service - Automounts filesystems on demand
 Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) 
 Active: inactive (dead) 
  
-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+If the "autofs" status is set to "active" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -10001,17 +9942,15 @@ If the "autofs" status is set to "active" and is not documented with the Informa
           
           
           CCI-000778
-          Configure OL 8 to disable the ability to automount devices. 
- 
-Turn off the automount service with the following commands: 
- 
-$ sudo systemctl stop autofs 
-$ sudo systemctl disable autofs 
- 
-If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.
-          
+          Configure OL 8 to disable the ability to automount devices.
+
+Turn off the automount service with the following commands:
+
+$ sudo systemctl stop autofs
+$ sudo systemctl disable autofs
+          
           
-            
+            
           
         
       
@@ -10043,7 +9982,7 @@ Add or update the lines:
 Reboot the system for the settings to take effect.
           
           
-            
+            
           
         
       
@@ -10073,7 +10012,7 @@ OL 8 functionality (e.g., RDP) must be capable of taking enforcement action if t
 $ sudo yum install firewalld.noarch
           
           
-            
+            
           
         
       
@@ -10105,7 +10044,7 @@ $ sudo systemctl enable firewalld
 $ sudo systemctl start firewalld
           
           
-            
+            
           
         
       
@@ -10147,7 +10086,7 @@ Add or update the line:
 Reboot the system for the settings to take effect.
           
           
-            
+            
           
         
       
@@ -10177,7 +10116,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10207,7 +10146,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10237,7 +10176,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10267,7 +10206,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10297,7 +10236,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10327,7 +10266,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10357,7 +10296,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10387,7 +10326,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10417,7 +10356,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10447,7 +10386,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10477,7 +10416,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10507,7 +10446,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10537,7 +10476,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10567,7 +10506,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10597,7 +10536,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
 /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
           
           
-            
+            
           
         
       
@@ -10632,7 +10571,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155</VulnDiscussion
 $ sudo yum install fapolicyd.x86_64
           
           
-            
+            
           
         
       
@@ -10667,7 +10606,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155</VulnDiscussion
 $ sudo systemctl enable --now fapolicyd
           
           
-            
+            
           
         
       
@@ -10698,7 +10637,7 @@ The system administrator (SA) must work with the site information system securit
 $ sudo yum install usbguard.x86_64
           
           
-            
+            
           
         
       
@@ -10733,7 +10672,7 @@ $ sudo systemctl start usbguard.service
 Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse.
           
           
-            
+            
           
         
       
@@ -10767,7 +10706,7 @@ FirewallBackend=nftables
 Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
           
           
-            
+            
           
         
       
@@ -10800,7 +10739,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
 $ sudo yum install openssh-server.x86_64
           
           
-            
+            
           
         
       
@@ -10833,7 +10772,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
 $ sudo systemctl enable sshd.service
           
           
-            
+            
           
         
       
@@ -10863,7 +10802,7 @@ The SSH daemon must be restarted for the settings to take effect.
 $ sudo systemctl restart sshd.service
           
           
-            
+            
           
         
       
@@ -10895,7 +10834,7 @@ Reload the daemon to take effect:
 $ sudo systemctl daemon-reload
           
           
-            
+            
           
         
       
@@ -10927,14 +10866,14 @@ Update the dconf settings:
 $ sudo dconf update
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040172
           OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
           <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -10946,16 +10885,22 @@ $ sudo dconf update
             5416
           
           CCI-000366
-          Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: 
- 
-CtrlAltDelBurstAction=none 
- 
-Reload the daemon for this change to take effect: 
- 
+          Configure OL 8 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file:
+
+If no drop file exists, create one with the following command:
+
+$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction
+
+Edit the file to contain the setting by adding the following text:
+
+CtrlAltDelBurstAction=none
+
+Reload the daemon for this change to take effect.
+
 $ sudo systemctl daemon-reload
-          
+          
           
-            
+            
           
         
       
@@ -10985,7 +10930,7 @@ Reload the daemon to take effect:
 $ sudo systemctl daemon-reload
           
           
-            
+            
           
         
       
@@ -11009,7 +10954,7 @@ $ sudo systemctl daemon-reload
 $ sudo yum remove tftp-server
           
           
-            
+            
           
         
       
@@ -11033,19 +10978,19 @@ $ sudo yum remove tftp-server
 If the account is associated with system commands or applications, change the UID to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
           
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040209
           OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11060,36 +11005,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:
+          Configure OL 8 to prevent IPv4 ICMP redirect messages from being accepted.
 
-$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.accept_redirects = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.accept_redirects=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040210
           OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11105,38 +11044,32 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure OL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command:
+          Configure OL 8 to prevent IPv6 ICMP redirect messages from being accepted.
 
-$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations:
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.default.accept_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.default.accept_redirects=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040220
           OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. 
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11151,38 +11084,32 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects with the following command:
+          Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects.
 
-$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.send_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.all.send_redirects=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040230
           OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
           <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. 
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11197,36 +11124,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address with the following command:
+          Configure OL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
 
-$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.icmp_echo_ignore_broadcasts = 1
 
-If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.icmp_echo_ignore_broadcasts=1
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040239
           OL 8 must not forward IPv4 source-routed packets.
           <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11241,36 +11162,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to not forward IPv4 source-routed packets with the following command:
+          Configure OL 8 to ignore IPv4 source-routed packets.
 
-$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.accept_source_route = 0
 
-If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.all.accept_source_route=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040240
           OL 8 must not forward IPv6 source-routed packets.
           <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11286,36 +11201,30 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure OL 8 to not forward IPv6 source-routed packets with the following command:
+          Configure OL 8 to not forward IPv6 source-routed packets.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_source_route = 0
 
-If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_source_route=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040249
           OL 8 must not forward IPv4 source-routed packets by default.
           <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11330,36 +11239,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to not forward IPv4 source-routed packets by default with the following command:
+          Configure OL 8 to not forward IPv4 source-routed packets by default.
 
-$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.accept_source_route = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.accept_source_route=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040250
           OL 8 must not forward IPv6 source-routed packets by default.
           <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11375,36 +11278,30 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure OL 8 to not forward IPv6 source-routed packets by default with the following command:
+          Configure OL 8 to not forward IPv6 source-routed packets by default.
 
-$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.default.accept_source_route = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.default.accept_source_route=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040260
           OL 8 must not enable IPv6 packet forwarding unless the system is a router.
           <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11420,38 +11317,32 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure OL 8 to not allow IPv6 packet forwarding unless the system is a router with the following command:
+          Configure OL 8 to not allow IPv6 packet forwarding unless the system is a router.
 
-$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.forwarding = 0
 
-If "0" is not the system's default value, add or update the following lines in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.forwarding=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040261
           OL 8 must not accept router advertisements on all IPv6 interfaces.
           <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
  
 An illicit router advertisement message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11467,38 +11358,32 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure the system to not accept router advertisements on all IPv6 interfaces unless the system is a router with the following commands:
+          Configure OL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations:
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_ra = 0
 
-If "0" is not the system's default value, add or update the following lines in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_ra=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040262
           OL 8 must not accept router advertisements on all IPv6 interfaces by default.
           <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. 
  
 An illicit router advertisement message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11514,38 +11399,32 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure the system to not accept router advertisements on all IPv6 interfaces by default, unless the system is a router, with the following commands:
+          Configure OL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
 
-$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.default.accept_ra = 0
 
-If "0" is not the system's default value, add or update the following lines in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.default.accept_ra=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040270
           OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
  
 There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11560,36 +11439,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command:
+          Configure OL 8 to not allow interfaces to perform IPv4 ICMP redirects by default.
 
-$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.default.send_redirects = 0
 
-If "0" is not the system's default value, add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.default.send_redirects=0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040279
           OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11604,36 +11477,30 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to ignore IPv4 ICMP redirect messages with the following command:
+          Configure OL 8 to ignore IPv4 ICMP redirect messages.
 
-$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.accept_redirects = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv4.conf.all.accept_redirects = 0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040280
           OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
           <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11649,36 +11516,30 @@ The sysctl --system command will load settings from all system configuration fil
           
           
           CCI-000366
-          Configure OL 8 to ignore IPv6 ICMP redirect messages with the following command:
+          Configure OL 8 to ignore IPv6 ICMP redirect messages.
 
-$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv6.conf.all.accept_redirects = 0
 
-If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
+Load settings from all system configuration files with the following command:
 
-net.ipv6.conf.all.accept_redirects = 0
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040281
-          OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
+          OL 8 must disable access to the network "bpf" syscall from nonprivileged processes.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11693,36 +11554,28 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure the system to prevent privilege escalation through the kernel by disabling access to the "bpf" syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
-
-kernel.unprivileged_bpf_disabled = 1
+          Configure OL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+kernel.nonprivileged_bpf_disabled = 1
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040282
           OL 8 must restrict the use of "ptrace" to descendant processes.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11737,36 +11590,28 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure the system to restrict the use of "ptrace" to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory:
+          Configure OL 8 to restrict usage of ptrace to descendant processes by adding the following line to "/etc/sysctl.d/99-sysctl.conf":
 
 kernel.yama.ptrace_scope = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040283
           OL 8 must restrict exposed kernel pointer addresses access.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11781,38 +11626,32 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure the system to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory:
+          Configure OL 8 to prevent the leak of kernel pointers to nonprivileged users.
+
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
 
 kernel.kptr_restrict = 1
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+Reload settings from all system configuration files with the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040284
           OL 8 must disable the use of user namespaces.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
 
-User namespaces are used primarily for Linux containers. "Rootful" containers run with root privileges on the host system and may pose a security risk if compromised. "Rootless" containers run without root privileges and allow for better isolation from the host system. The value "0" disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When privileged user namespaces or "rootful" containers are in use, user namespaces should be disallowed. When unprivileged user namespaces or "rootless" containers are deployed on a system, the value should be set to a large non-zero value. The default value depends on the amount of memory in the system, approximately the total memory in kilobytes divided by 256.
+User namespaces are used primarily for Linux containers. "Rootful" containers run with root privileges on the host system and may pose a security risk if compromised. "Rootless" containers run without root privileges and allow for better isolation from the host system. The value "0" disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When privileged user namespaces or "rootful" containers are in use, user namespaces should be disallowed. When nonprivileged user namespaces or "rootless" containers are deployed on a system, the value should be set to a large nonzero value. The default value depends on the amount of memory in the system, approximately the total memory in kilobytes divided by 256.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11827,38 +11666,31 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure the system to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory:
-
-     user.max_user_namespaces = 0
+          Configure OL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
+Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. 
 
-     /run/sysctl.d/*.conf
-     /usr/local/lib/sysctl.d/*.conf
-     /usr/lib/sysctl.d/*.conf
-     /lib/sysctl.d/*.conf
-     /etc/sysctl.conf
-     /etc/sysctl.d/*.conf
+user.max_user_namespaces = 0
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-     $ sudo sysctl --system
-          
+$ sudo sysctl --system
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040285
           OL 8 must use reverse path filtering on all IPv4 interfaces.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. 
  
 Enabling reverse path filtering drops packets with source addresses that are not routable. There is no equivalent filter for IPv6 traffic.
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11873,38 +11705,32 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure the system to use reverse path filtering on all IPv4 interfaces by adding the following line to a file in the "/etc/sysctl.d" directory:
+          Configure OL 8 to use reverse path filtering on all IPv4 interfaces. 
 
-net.ipv4.conf.all.rp_filter = 1
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
+net.ipv4.conf.all.rp_filter = 1
 
 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
       
         SRG-OS-000480-GPOS-00227
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-040286
           OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
           <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
 Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
 
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
 /etc/sysctl.d/*.conf
 /run/sysctl.d/*.conf
 /usr/local/lib/sysctl.d/*.conf
@@ -11919,24 +11745,16 @@ The sysctl --system command will load settings from all system configuration fil
             5416
           
           CCI-000366
-          Configure OL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the "/etc/sysctl.d" directory:
+          Configure OL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
 
 net.core.bpf_jit_harden = 2
 
-Remove any configurations that conflict with the above from the following locations: 
-/run/sysctl.d/*.conf
-/usr/local/lib/sysctl.d/*.conf
-/usr/lib/sysctl.d/*.conf
-/lib/sysctl.d/*.conf
-/etc/sysctl.conf
-/etc/sysctl.d/*.conf
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
 $ sudo sysctl --system
-          
+          
           
-            
+            
           
         
       
@@ -11961,7 +11779,7 @@ $ sudo sysctl --system
 $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
           
           
-            
+            
           
         
       
@@ -11985,7 +11803,7 @@ $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
           
           
-            
+            
           
         
       
@@ -12013,7 +11831,7 @@ Set the promiscuous mode of an interface to "off" with the following command:
 $ sudo ip link set dev <devicename> multicast off promisc off
           
           
-            
+            
           
         
       
@@ -12027,7 +11845,7 @@ $ sudo ip link set dev <devicename> multicast off promisc off
+If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
           
             DPMS Target Oracle Linux 8
             DISA
@@ -12045,7 +11863,7 @@ The SSH service must be restarted for changes to take effect:
 $ sudo systemctl restart sshd
           
           
-            
+            
           
         
       
@@ -12071,7 +11889,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us
 X11UseLocalhost yes
           
           
-            
+            
           
         
       
@@ -12103,7 +11921,7 @@ $ sudo systemctl daemon-reload
 $ sudo systemctl restart tftp.service
           
           
-            
+            
           
         
       
@@ -12127,7 +11945,7 @@ $ sudo systemctl restart tftp.service
 $ sudo yum remove vsftpd
           
           
-            
+            
           
         
       
@@ -12147,13 +11965,14 @@ When an application uses Generic Security Services API (GSSAPI), typically it wi
             Oracle Linux 8
             5416
           
+          
           CCI-000366
           Configure OL 8 to disable nonessential capabilities by removing the "gssproxy" package from the system with the following command: 
  
 $ sudo yum remove gssproxy
           
           
-            
+            
           
         
       
@@ -12177,7 +11996,7 @@ $ sudo yum remove gssproxy
 $ sudo yum remove iprutils
           
           
-            
+            
           
         
       
@@ -12201,7 +12020,7 @@ $ sudo yum remove iprutils
 $ sudo yum remove tuned
           
           
-            
+            
           
         
       
@@ -12228,7 +12047,7 @@ Lock an account:
 $ sudo passwd -l [username]
           
           
-            
+            
           
         
       
@@ -12254,7 +12073,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
 $ sudo chmod 755 [DIRECTORY]
           
           
-            
+            
           
         
       
@@ -12282,7 +12101,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no
 $ sudo chown root [DIRECTORY]
           
           
-            
+            
           
         
       
@@ -12310,7 +12129,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no
 $ sudo chgrp root [DIRECTORY]
           
           
-            
+            
           
         
       
@@ -12342,7 +12161,7 @@ $ sudo vi /etc/pam.d/sudo
 Remove any occurrences of " pam_succeed_if " in the file.
           
           
-            
+            
           
         
       
@@ -12372,7 +12191,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line
      password requisite pam_pwquality.so
           
           
-            
+            
           
         
       
@@ -12404,7 +12223,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line
      password requisite pam_pwquality.so retry=3
           
           
-            
+            
           
         
       
@@ -12436,7 +12255,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
      password requisite pam_pwquality.so retry=3
           
           
-            
+            
           
         
       
@@ -12464,14 +12283,14 @@ $ sudo systemctl set-default multi-user.target
 A reboot is required for the changes to take effect.
           
           
-            
+            
           
         
       
       
         SRG-OS-000163-GPOS-00072
         <GroupDescription></GroupDescription>
-        
+        
           OL08-00-020035
           OL 8 must terminate idle user sessions.
           <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -12483,27 +12302,35 @@ A reboot is required for the changes to take effect.
             5416
           
           CCI-001133
-          Configure OL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:
+          Configure OL 8 to log out idle sessions.
+
+Create the directory if necessary:
+
+$ mkdir -p /etc/systemd/logind.conf.d/
 
-     StopIdleSessionSec=900
+Create a *.conf file in /etc/systemd/logind.conf.d/ with the following content:
 
-The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command:
+[Login]
+StopIdleSessionSec=600
+KillUserProcesses=no
 
-     $ sudo systemctl restart systemd-logind
-          
+Restart systemd-logind:
+
+$ systemctl restart systemd-logind
+          
           
-            
+            
           
         
       
     
   
-  
+  
     
       
-        Security Content Tool 1.6.0
+        Security Content Tool 1.7.0
         5.11
-        2025-09-25T11:53:06
+        2026-01-05T02:25:45
       
       
         
@@ -12788,46 +12615,6 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The operating system must enable kernel parameters to enforce discretionary access control on symlinks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must restrict access to the kernel message buffer.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent kernel profiling by unprivileged users.
-            
-          
-          
-            
-            
-          
-        
         
           
             The operating system must require users to provide a password for privilege escalation.
@@ -12847,16 +12634,6 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-            
-          
-          
-            
-            
-          
-        
         
           
             YUM must remove all software components after updated versions have been installed on the operating system.
@@ -12921,9 +12698,9 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
+        
           
-            The operating system SSH daemon must not allow authentication using known host’s authentication.
+            The operating system SSH daemon must not allow authentication using known host's authentication.
             
           
           
@@ -13037,14 +12814,13 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
+        
           
             The operating system must disable the kernel.core_pattern.
             
           
           
             
-            
           
         
         
@@ -13445,16 +13221,6 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The operating system must display the date and time of the last successful account logon upon logon.
-            
-          
-          
-            
-            
-          
-        
         
           
             The operating system must display the date and time of the last successful account logon upon an SSH logon.
@@ -14400,154 +14166,13 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not send Internet Control Message Protocol (ICMP) redirects.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not forward IPv6 source-routed packets.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not forward IPv6 source-routed packets by default.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not enable IPv6 packet forwarding unless the system is a router.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not accept router advertisements on all IPv6 interfaces.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not accept router advertisements on all IPv6 interfaces by default.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-            
-          
-          
-            
-            
-          
-        
-        
+        
           
-            The operating system must disable access to network bpf syscall from unprivileged processes.
+            The operating system must restrict usage of ptrace to descendant processes.
             
           
           
-            
-            
-          
-        
-        
-          
-            The operating system must restrict usage of ptrace to descendant  processes.
-            
-          
-          
             
-            
-          
-        
-        
-          
-            The operating system must restrict exposed kernel pointer addresses access.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the use of user namespaces.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must use reverse path filtering on all IPv4 interfaces.
-            
-          
-          
-            
-            
           
         
         
@@ -14614,16 +14239,6 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The gssproxy package must not be installed unless mission essential on the operating system.
-            
-          
-          
-            
-            
-          
-        
         
           
             The iprutils package must not be installed unless mission essential on the operating system.
@@ -14811,63 +14426,49 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-          
-          
-            
-            
-          
-        
-        
+        
           
-            The operating system must not forward IPv4 source-routed packets.
+            The operating system must be a vendor-supported release.
             
           
           
-            
-            
+            
           
         
-        
+        
           
-            The operating system must not forward IPv4 source-routed packets by default.
+            The operating system must enable kernel parameters to enforce discretionary access control on symlinks.
             
           
-          
-            
-            
+          
+            
           
         
-        
+        
           
-            The operating system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
+            The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
             
           
           
-            
-            
+            
           
         
-        
+        
           
-            The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
+            The operating system must restrict access to the kernel message buffer.
             
           
           
-            
-            
+            
           
         
-        
+        
           
-            The operating system must be a vendor-supported release.
+            The operating system must prevent kernel profiling by unprivileged users.
             
           
           
-            
+            
           
         
         
@@ -15036,6 +14637,15 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
+        
+          
+            The operating system must not forward IPv6 source-routed packets by default.
+            
+          
+          
+            
+          
+        
         
           
             The operating system operating system must not have accounts configured with blank or null passwords.
@@ -15208,6 +14818,33 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
+        
+          
+            The system must terminate idle user sessions.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must restrict exposed kernel pointer addresses access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The gssproxy package must not be installed unless mission essential on the operating system.
+            
+          
+          
+            
+          
+        
         
           
             All the operating system local interactive user home directories must have mode 0750 or less permissive.
@@ -15291,15 +14928,6 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
-          
-            The system must terminate idle user sessions.
-            
-          
-          
-            
-          
-        
         
           
             The operating system must require users to reauthenticate for privilege escalation.
@@ -15383,32 +15011,194 @@ The "logind" service must be restarted for the changes to take effect. To restar
             
           
         
-        
+        
           
-            The autofs package is installed.
+            The operating system must disable the use of user namespaces.
             
           
           
-            
+            
           
         
-        
+        
           
-            The system has nfs entries in /etc/fstab
+            The operating system must disable access to network bpf system call from nonprivileged processes.
             
           
           
-            
+            
           
         
-        
+        
           
-            The postifx package is installed.
+            The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
             
           
-          
-            
-          
+          
+            
+          
+        
+        
+          
+            The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv4 source-routed packets.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use reverse path filtering on all IPv4 interfaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv4 source-routed packets by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not send Internet Control Message Protocol (ICMP) redirects.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not accept router advertisements on all IPv6 interfaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv6 source-routed packets.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not enable IPv6 packet forwarding unless the system is a router.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not accept router advertisements on all IPv6 interfaces by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+          
+          
+            
+          
+        
+        
+          
+            The autofs package is installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The system has nfs entries in /etc/fstab
+            
+          
+          
+            
+          
+        
+        
+          
+            The postifx package is installed.
+            
+          
+          
+            
+          
         
         
           
@@ -16136,7 +15926,7 @@ Verifying the authenticity of the software prior to installation validates the i
             
           
         
-        
+        
           
             OL08-00-010373 - OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
             
@@ -16157,10 +15947,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-010374 - OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.
             
@@ -16181,10 +15971,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-010375 - OL 8 must restrict access to the kernel message buffer.
             
@@ -16207,10 +15997,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-010376 - OL 8 must prevent kernel profiling by unprivileged users.
             
@@ -16233,7 +16023,7 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
         
@@ -16331,7 +16121,7 @@ This requirement only applies to components where this is specific to the functi
             
           
         
-        
+        
           
             OL08-00-010430 - OL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
             
@@ -16350,7 +16140,7 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
         
@@ -17495,18 +17285,6 @@ Configuration settings are the set of parameters that can be changed in hardware
             
           
         
-        
-          
-            OL08-00-020340 - OL 8 must display the date and time of the last successful account logon upon logon.
-            
-              Oracle Linux 8
-            
-            Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
-          
-          
-            
-          
-        
         
           
             OL08-00-020350 - OL 8 must display the date and time of the last successful account logon upon an SSH logon.
@@ -19511,7 +19289,7 @@ Session key regeneration limits the chances of a session key becoming compromise
             
           
         
-        
+        
           
             OL08-00-040209 - OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
             
@@ -19528,10 +19306,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040210 - OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
             
@@ -19548,10 +19326,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040220 - OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
             
@@ -19570,10 +19348,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040230 - OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
             
@@ -19592,10 +19370,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040239 - OL 8 must not forward IPv4 source-routed packets.
             
@@ -19612,10 +19390,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040240 - OL 8 must not forward IPv6 source-routed packets.
             
@@ -19632,10 +19410,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040249 - OL 8 must not forward IPv4 source-routed packets by default.
             
@@ -19652,10 +19430,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040250 - OL 8 must not forward IPv6 source-routed packets by default.
             
@@ -19672,10 +19450,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040260 - OL 8 must not enable IPv6 packet forwarding unless the system is a router.
             
@@ -19692,10 +19470,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040261 - OL 8 must not accept router advertisements on all IPv6 interfaces.
             
@@ -19714,10 +19492,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040262 - OL 8 must not accept router advertisements on all IPv6 interfaces by default.
             
@@ -19736,10 +19514,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040270 - OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
             
@@ -19758,10 +19536,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040279 - OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
             
@@ -19778,10 +19556,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040280 - OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
             
@@ -19798,10 +19576,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040281 - OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
             
@@ -19818,7 +19596,7 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
         
@@ -19841,7 +19619,7 @@ The sysctl --system command will load settings from all system configuration fil
             
           
         
-        
+        
           
             OL08-00-040283 - OL 8 must restrict exposed kernel pointer addresses access.
             
@@ -19858,10 +19636,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040284 - OL 8 must disable the use of user namespaces.
             
@@ -19880,10 +19658,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040285 - OL 8 must use reverse path filtering on all IPv4 interfaces.
             
@@ -19901,10 +19679,10 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
-        
+        
           
             OL08-00-040286 - OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
             
@@ -19923,7 +19701,7 @@ The sysctl --system command will load settings from all system configuration fil
 /etc/sysctl.conf
           
           
-            
+            
           
         
         
@@ -19964,7 +19742,7 @@ If the system is being used to perform a network troubleshooting function, the u
             
           
         
-        
+        
           
             OL08-00-040340 - OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
             
@@ -19974,7 +19752,7 @@ If the system is being used to perform a network troubleshooting function, the u
  
 X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the "ForwardX11Trusted" option is also enabled. 
  
-If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.
+If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.
           
           
             
@@ -20016,7 +19794,7 @@ If X11 services are not required for the system's intended function, they should
             
           
         
-        
+        
           
             OL08-00-040370 - OL 8 must not have the "gssproxy" package installed if not required for operational support.
             
@@ -20027,7 +19805,7 @@ If X11 services are not required for the system's intended function, they should
 When an application uses Generic Security Services API (GSSAPI), typically it will have direct access to its security credentials, and all cryptographic operations are performed in the application's process. This is undesirable, but "gssproxy" can help in almost all use cases. It provides privilege separation to applications using the GSSAPI: The gssproxy daemon runs on the system, holds the application's credentials, and performs operations on behalf of the application.
           
           
-            
+            
           
         
         
@@ -20186,7 +19964,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
             
           
         
-        
+        
           
             OL08-00-020035 - OL 8 must terminate idle user sessions.
             
@@ -20195,7 +19973,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
             Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
           
           
-            
+            
           
         
       
@@ -20313,32 +20091,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
         
           
         
         
           
         
-        
-          
-          
-        
         
           
         
@@ -20378,7 +20136,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
+        
           
           
         
@@ -20390,10 +20148,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
         
           
           
@@ -20591,12 +20345,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-        
-        
-          
-        
         
           
           
@@ -21016,64 +20764,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
         
           
         
@@ -21154,26 +20844,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
         
           
           
@@ -21342,9 +21012,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           
         
-        
-          
-          
+        
+          
+          
         
         
           
@@ -21375,10 +21045,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
         
           
         
@@ -21484,7 +21150,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
+        
           
           
         
@@ -21719,22 +21385,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           
         
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
         
           
           
@@ -21853,18 +21503,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
         
           
           
         
-        
-          
-          
-        
         
           
           
@@ -21881,20 +21523,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-          
-        
         
           
           
         
-        
-          
-          
-          
-        
         
           
           
@@ -21903,10 +21535,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
-        
-          
-          
-        
         
           
           
@@ -21919,6 +21547,22 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
         
           
           
@@ -21931,6 +21575,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
+        
+          
+          
+        
         
           
           
@@ -21951,10 +21599,22 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
+        
+          
+          
+        
         
           
           
         
+        
+          
+          
+        
+        
+          
+          
+        
         
           
           
@@ -21978,6 +21638,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           
         
+        
+          
+          
+        
       
       
         
@@ -22221,107 +21885,22 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           ^\s*localpkg_gpgcheck\s*=\s*(\w+)\b$
           1
         
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$
+        
+          
+          /etc/sudoers
+          ^(?!#).*\s+NOPASSWD.*$
           1
         
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$
+        
+          
+          /etc/sudoers.d
+          ^.*$
+          ^(?!#).*\s+NOPASSWD.*$
           1
         
-        
-          
-            oval:mil.disa.stig.ind:obj:23026701
-            oval:mil.disa.stig.ind:obj:23026702
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026801
-            oval:mil.disa.stig.ind:obj:23026802
-          
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026900
-            oval:mil.disa.stig.ind:obj:23026901
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23027001
-            oval:mil.disa.stig.ind:obj:23027002
-          
-        
-        
-          
-          /etc/sudoers
-          ^(?!#).*\s+NOPASSWD.*$
-          1
-        
-        
-          
-          /etc/sudoers.d
-          ^.*$
-          ^(?!#).*\s+NOPASSWD.*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23028000
-            oval:mil.disa.stig.ind:obj:23028001
-          
-        
-        
-          /etc/dnf/dnf.conf
-          ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$
+        
+          /etc/dnf/dnf.conf
+          ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$
           1
         
         
@@ -22404,9 +21983,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           ^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
           1
         
-        
+        
           /etc/fstab
-          ^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          ^\s*/dev\S*\s+/\S+\s+(?!vfat\s+)\S+\s+(\S+)\s+\S+\s+\S+\s*$
           1
         
         
@@ -22419,23 +21998,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
           0
         
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23031100
-            oval:mil.disa.stig.ind:obj:23031101
-          
-        
         
           
             oval:mil.disa.stig.ind:obj:23031302
@@ -22899,16 +22461,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           ^(?i)\s*PermitEmptyPasswords\s+(\w+)$
           1
         
-        
-          /etc/pam.d/postlogin
-          ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*showfailed\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$
-          1
-        
-        
-          /etc/pam.d/postlogin
-          ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*silent\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$
-          1
-        
         
           /etc/ssh/sshd_config
           ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
@@ -23591,244 +23143,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           ^\s*\[org/gnome/settings-daemon/plugins/media-keys\]\s+[^\[\]]*^\s*logout=(\S+)\s*$
           1
         
-        
-          
-          \.conf$
-          ^\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053500
-            oval:mil.disa.stig.ind:obj:23053501
-          
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053600
-            oval:mil.disa.stig.ind:obj:23053601
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053700
-            oval:mil.disa.stig.ind:obj:23053701
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053802
-            oval:mil.disa.stig.ind:obj:23053803
-          
-        
-        
-          
-          \.conf$
-          (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053902
-            oval:mil.disa.stig.ind:obj:23053905
-          
-        
-        
-          
-          \.conf$
-          (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054000
-            oval:mil.disa.stig.ind:obj:23054001
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054100
-            oval:mil.disa.stig.ind:obj:23054101
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054301
-            oval:mil.disa.stig.ind:obj:23054302
-          
-        
-        
-          
-          \.conf
-          (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054401
-            oval:mil.disa.stig.ind:obj:23054402
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054502
-            oval:mil.disa.stig.ind:obj:23054503
-          
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054601
-            oval:mil.disa.stig.ind:obj:23054602
-          
-        
-        
-          
-          \.conf$
-          ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054701
-            oval:mil.disa.stig.ind:obj:23054702
-          
-        
-        
-          
-          \.conf$
-          ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054801
-            oval:mil.disa.stig.ind:obj:23054802
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054901
-            oval:mil.disa.stig.ind:obj:23054902
-          
-        
-        
-          
-          ^.*\.conf$
-          ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$
-          1
-        
         
           /etc/postfix/main.cf
           ^smtpd_client_restrictions[ \t]*=[ \t]*permit_mynetworks[, \t]+reject[ \t]*$
@@ -24001,91 +23315,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           (?i)^\s*space_left_action\s*=\s*(\w+)\s*(?:#.*)?$
           1
         
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455001
-            oval:mil.disa.stig.ind:obj:24455002
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455100
-            oval:mil.disa.stig.ind:obj:24455101
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|.*\n)\s*net\.ipv4\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455201
-            oval:mil.disa.stig.ind:obj:24455202
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.ipv4\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.ipv4\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455300
-            oval:mil.disa.stig.ind:obj:24455301
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455402
-            oval:mil.disa.stig.ind:obj:24455403
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$
-          1
-        
         
           /etc
           oracle-release
@@ -24268,23 +23497,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           1
         
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$
+        
+          /etc/systemd/logind.conf
+          ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$
           1
         
-        
-          
-            oval:mil.disa.stig.ind:obj:25312001
-            oval:mil.disa.stig.ind:obj:25312002
-          
-        
         
           /etc/fstab
           ^\s*[^#\s][^\s]*\s+[^\s]+\s+nfs[^\s]*\s+([^\s]+)
@@ -24338,11 +23555,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           oval:mil.disa.stig.defs:var:25804500
         
-        
-          /etc/systemd/logind.conf
-          ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
         
           
           /etc/sudoers
@@ -24456,8 +23668,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           /boot
         
-        
+        
           ^/\S+$
+          oval:mil.disa.stig.linux:ste:23030103
           oval:mil.disa.stig.linux:ste:23030102
         
         
@@ -24660,32 +23873,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi
             oval:mil.disa.stig.unix:ste:23025800
           
         
-        
-          
+        
+          
           
-          \.so(\.\d+)*$
+          \.so(\S+)*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:20000005
         
-        
+        
           
           
-          \.so(\.\d+)*$
+          (\.so\S*)$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:20000006
         
-        
-          fs.protected_symlinks
-        
-        
-          fs.protected_hardlinks
-        
-        
-          kernel.dmesg_restrict
-        
-        
-          kernel.perf_event_paranoid
-        
         
           kernel.randomize_va_space
         
@@ -24800,15 +24001,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           net.ipv6.conf.all.accept_source_route
         
-        
-          net.ipv6.conf.default.accept_source_route
-        
         
           net.ipv6.conf.all.forwarding
         
-        
-          net.ipv6.conf.all.accept_ra
-        
         
           net.ipv4.conf.default.send_redirects
         
@@ -24840,9 +24035,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           net.ipv4.conf.default.accept_redirects
         
-        
-          net.ipv4.conf.all.accept_source_route
-        
         
           net.ipv4.conf.default.accept_source_route
         
@@ -24852,9 +24044,24 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           net.core.bpf_jit_harden
         
+        
+          fs.protected_symlinks
+        
+        
+          fs.protected_hardlinks
+        
+        
+          kernel.dmesg_restrict
+        
+        
+          kernel.perf_event_paranoid
+        
         
           /usr/bin/lastlog
         
+        
+          net.ipv6.conf.default.accept_source_route
+        
         
           
           
@@ -24883,42 +24090,48 @@ By limiting the number of attempts to meet the pwquality module complexity requi
           
           
         
+        
+          net.ipv4.conf.all.accept_source_route
+        
+        
+          net.ipv6.conf.all.accept_ra
+        
         
           .*
           oval:mil.disa.stig.unix:ste:25804500
         
-        
+        
           
           
-          \.so
+          \.so\S*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:26048700
         
-        
+        
           
           
-          \.so
+          \.so\S*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:26048701
         
-        
+        
           
           
-          \.so
+          \.so\S*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:26048702
         
-        
+        
           
           
-          \.so
+          \.so\S*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:26048703
         
-        
+        
           
           
-          \.so
+          \.so\S*$
           oval:mil.disa.stig.unix:ste:20000015
           oval:mil.disa.stig.unix:ste:26048704
         
@@ -24945,9 +24158,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           1
         
-        
-          2
-        
         
           none
         
@@ -25017,9 +24227,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           \n\s*gpgcheck\s*=\s*(False|0|no)\s*(\n|$)
         
-        
-          1
-        
         
           targeted
         
@@ -25029,9 +24236,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           ^.*noexec.*$
         
-        
-          |/bin/false
-        
         
           0
         
@@ -25146,12 +24350,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           ''
         
-        
-          1
-        
-        
-          2
-        
         
           /etc/sudoers.d
         
@@ -25164,6 +24362,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           ^pam_pwquality.so(\s|$)
         
+        
+          600
+        
         
           /etc/ssh/sshd_config.d/*.conf
         
@@ -25176,9 +24377,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           
         
-        
-          900
-        
         
           x509/name
         
@@ -25243,6 +24441,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           ^/dev\S*$
         
+        
+          vfat
+        
         
           nosuid
         
@@ -25354,9 +24555,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           1000
         
-        
-          1
-        
         
           |/bin/false
         
@@ -25401,12 +24599,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
         
           0
         
-        
-          1
-        
-        
-          2
-        
         
           (^|\s)PROMISC(\s|$)
         
@@ -25675,13 +24867,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
             
           
         
-        
-          /etc/sysctl.d
-          /run/sysctl.d
-          /lib/sysctl.d
-          /usr/lib/sysctl.d
-          /usr/local/lib/sysctl.d
-        
         
           
             
@@ -25692,12 +24877,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
       
     
   
-  
+  
     
       
-        Security Content Tool 1.6.0
+        Security Content Tool 1.7.0
         5.11
-        2025-09-25T11:53:18
+        2026-01-05T02:25:57
       
       
         

From c92c8c0d3665061e0b24b1e91b073f12ee5ee037 Mon Sep 17 00:00:00 2001
From: Armando Acosta 
Date: Fri, 13 Feb 2026 14:11:31 -0600
Subject: [PATCH 134/265] Update OL9 logind_session_timeout to use dropin files

Signed-off-by: Armando Acosta 
---
 .../logind_session_timeout/ansible/shared.yml                 | 2 +-
 .../accounts-physical/logind_session_timeout/bash/shared.sh   | 2 +-
 .../accounts-physical/logind_session_timeout/oval/shared.xml  | 4 ++--
 .../accounts-physical/logind_session_timeout/tests/common.sh  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
index 6bb54d80f23d..8a2608c93e68 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
index 72e3aa52ba40..c336394acfc9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
index 80c8b6a55aa1..3ea13bc7f07f 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}}
 {{% else %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
@@ -6,7 +6,7 @@
 
 
   
-    {{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+    {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
     {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}}
     
       
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh
index f40b296ec76b..ce6a75106687 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh
@@ -3,7 +3,7 @@
 # this file prepares unified test environment used by other scenarios
 # These should be tuned per product to match defaults
 
-{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
+{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
 LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf"
 mkdir -p /etc/systemd/logind.conf.d/
 {{% else %}}

From 983fb4fe2d8f5be513459c3cafe30557dffeebe6 Mon Sep 17 00:00:00 2001
From: Armando Acosta 
Date: Fri, 13 Feb 2026 14:14:14 -0600
Subject: [PATCH 135/265] Add /usr/libexec to
 file_groupownership_system_commands_dirs for OL9

Signed-off-by: Armando Acosta 
---
 .../ansible/shared.yml                                    | 4 ++++
 .../bash/shared.sh                                        | 5 ++++-
 .../oval/shared.xml                                       | 4 ++++
 .../file_groupownership_system_commands_dirs/rule.yml     | 7 +++++++
 .../tests/correct_groupowner.pass.sh                      | 4 ++++
 .../tests/incorrect_groupownership.fail.sh                | 8 ++++++++
 .../tests/symlink.pass.sh                                 | 4 ++++
 7 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
index 429962905c3e..78c03e7011b6 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
@@ -11,7 +11,11 @@
     follow: no
     recurse: no
   register: system_command_files_found
+  {{% if 'ol9' in product %}}
+  with_items: ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/libexec','/usr/local/bin', '/usr/local/sbin']
+  {{% else %}}
   with_items: ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', '/usr/local/sbin']
+  {{% endif %}}
   changed_when: false
 
 - name: "{{{ rule_title }}} - Set group ownership to root for system command files"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index 00a12fdfa865..bc803976ee28 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,3 +1,6 @@
 # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux
-
+{{% if 'ol9' in product %}}
+find -P /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp root '{}' \; || true
+{{% else %}}
 find -P /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp root '{}' \; || true
+{{% endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml
index 16936790ef09..08d91bab154d 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml
@@ -17,7 +17,11 @@
   
     
+    {{% if 'ol9' in product %}}
+    ^\/s?bin|^\/usr\/s?bin|^\/usr\/libexec|^\/usr\/local\/s?bin
+    {{% else %}}
     ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin
+    {{% endif %}}
     ^.*$
    state_groupowner_system_commands_dirs_not_root_or_system_account
    state_groupowner_system_commands_dirs_symlink
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
index 37ae549a7174..6dc73e355bee 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml
@@ -9,6 +9,9 @@ description: |-
     /sbin
     /usr/bin
     /usr/sbin
+    {{%- if 'ol9' in product %}}
+    /usr/libexec
+    {{%- endif %}}
     /usr/local/bin
     /usr/local/sbin
     
@@ -54,7 +57,11 @@ ocil_clause: 'any system commands are returned and is not group-owned by a requi
 ocil: |-
     Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
 
+    {{%- if 'ol9' in product %}}
+    $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
+    {{%- else %}}
     $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
+    {{%- endif %}}
 
 fixtext: |-
     Configure the system commands to be protected from unauthorized access.
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh
index 48bd0d2c8f5c..9fe7a63d4783 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh
@@ -1,3 +1,7 @@
 #!/bin/bash
 
+{{% if 'ol9' in product %}}
+find -P /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp --no-dereference root '{}' \; || true
+{{% else %}}
 find -P /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp --no-dereference root '{}' \; || true
+{{% endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
index f65c98a225ab..8013aaed79fa 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
@@ -2,13 +2,21 @@
 
 groupadd group_test
 
+{{% if 'ol9' in product %}}
+find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/libexec/ /usr/local/bin/ /usr/local/sbin/ -type f -exec chgrp --no-dereference root {} \; || true
+{{% else %}}
 find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ -type f -exec chgrp --no-dereference root {} \; || true
+{{% endif %}}
 
 {{% if 'ubuntu' in product %}}
 for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
 {{% else %}}
+{{% if 'ol9' in product %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/libexec/test_me /usr/sbin/test_me /usr/local/bin/test_me
+{{% else %}}
 for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me
 {{% endif %}}
+{{% endif %}}
 do
   if [[ ! -f $TESTFILE ]]
   then
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh
index 6c9035268936..e27ef5963fc9 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh
@@ -2,7 +2,11 @@
 
 groupadd group_test
 
+{{% if 'ol9' in product %}}
+find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/libexec /usr/local/bin/ /usr/local/sbin/ \! -group root -type f -exec chgrp --no-dereference root {} \; || true
+{{% else %}}
 find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ \! -group root -type f -exec chgrp --no-dereference root {} \; || true
+{{% endif %}}
 
 ln -s $(mktemp -p /tmp) /usr/bin/test.log.symlink
 chgrp -h group_test /usr/bin/test.log.symlink

From 413b370a6f189dfe54856e92245d54fbc7dc08c7 Mon Sep 17 00:00:00 2001
From: Armando Acosta 
Date: Fri, 13 Feb 2026 14:16:20 -0600
Subject: [PATCH 136/265] Align OL9 STIG with DISA OL9 STIG V1R4

Signed-off-by: Armando Acosta 
---
 controls/stig_ol9.yml                         |    31 +-
 products/ol9/profiles/stig.profile            |     4 +-
 products/ol9/profiles/stig_gui.profile        |     4 +-
 ....xml => disa-stig-ol9-v1r2-xccdf-scap.xml} | 65583 ++++++++--------
 ...ml => disa-stig-ol9-v1r4-xccdf-manual.xml} |   324 +-
 5 files changed, 32773 insertions(+), 33173 deletions(-)
 rename shared/references/{disa-stig-ol9-v1r1-xccdf-scap.xml => disa-stig-ol9-v1r2-xccdf-scap.xml} (95%)
 rename shared/references/{disa-stig-ol9-v1r3-xccdf-manual.xml => disa-stig-ol9-v1r4-xccdf-manual.xml} (87%)

diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
index bc1370b1b5a4..9d8522165fb6 100644
--- a/controls/stig_ol9.yml
+++ b/controls/stig_ol9.yml
@@ -621,14 +621,6 @@ controls:
           - mount_option_home_noexec
       status: automated
 
-    - id: OL09-00-002010
-      levels:
-          - medium
-      title: OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
-      rules:
-          - mount_option_krb_sec_remote_filesystems
-      status: automated
-
     - id: OL09-00-002011
       levels:
           - medium
@@ -1262,7 +1254,7 @@ controls:
           - medium
       title: OL 9 world-writable directories must be owned by root, sys, bin, or an application user.
       rules:
-          - dir_perms_world_writable_root_owned
+          - dir_perms_world_writable_system_owned
       status: automated
 
     - id: OL09-00-002510
@@ -2063,9 +2055,10 @@ controls:
     - id: OL09-00-002104
       levels:
           - medium
-      title: OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
+      title: OL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.
       rules:
           - dconf_gnome_screensaver_idle_delay
+          - inactivity_timeout_value=10_minutes
       status: automated
 
     - id: OL09-00-002124
@@ -2410,14 +2403,6 @@ controls:
           - sysctl_kernel_exec_shield
       status: automated
 
-    - id: OL09-00-002427
-      levels:
-          - medium
-      title: Local OL 9 initialization files must not execute world-writable programs.
-      rules:
-          - accounts_user_dot_no_world_writable_programs
-      status: automated
-
     - id: OL09-00-002411
       levels:
           - medium
@@ -3837,16 +3822,6 @@ controls:
           - fips_crypto_policy_symlinks
       status: automated
 
-    - id: OL09-00-002424
-      levels:
-          - medium
-      title: OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive
-          orders, directives, policies, regulations, standards, and guidance for authentication to a
-          cryptographic module.
-      rules:
-          - configure_kerberos_crypto_policy
-      status: automated
-
     - id: OL09-00-000241
       levels:
           - medium
diff --git a/products/ol9/profiles/stig.profile b/products/ol9/profiles/stig.profile
index 883b970b43a8..adbe70ed2e64 100644
--- a/products/ol9/profiles/stig.profile
+++ b/products/ol9/profiles/stig.profile
@@ -2,7 +2,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R3
+    version: V1R4
 
 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 
@@ -10,7 +10,7 @@ title: 'DISA STIG for Oracle Linux 9'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Oracle Linux 9 V1R3.
+    DISA STIG for Oracle Linux 9 V1R4.
 
 selections:
     - stig_ol9:all
diff --git a/products/ol9/profiles/stig_gui.profile b/products/ol9/profiles/stig_gui.profile
index 178e85a21e57..4f2b8b948abb 100644
--- a/products/ol9/profiles/stig_gui.profile
+++ b/products/ol9/profiles/stig_gui.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R3
+    version: V1R4
 
 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 
@@ -9,7 +9,7 @@ title: 'DISA STIG with GUI for Oracle Linux 9'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Oracle Linux 9 V1R3.
+    DISA STIG for Oracle Linux 9 V1R4.
 
     Warning: The installation and use of a Graphical User Interface (GUI)
     increases your attack vector and decreases your overall security posture. If
diff --git a/shared/references/disa-stig-ol9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-ol9-v1r2-xccdf-scap.xml
similarity index 95%
rename from shared/references/disa-stig-ol9-v1r1-xccdf-scap.xml
rename to shared/references/disa-stig-ol9-v1r2-xccdf-scap.xml
index 98cca171fba1..b703b4830c72 100644
--- a/shared/references/disa-stig-ol9-v1r1-xccdf-scap.xml
+++ b/shared/references/disa-stig-ol9-v1r2-xccdf-scap.xml
@@ -1,32977 +1,32606 @@
-
-
-  
-    
-      
-        
-          
-        
-      
-    
-    
-      
-        
-          
-        
-      
-    
-    
-      
-      
-    
-  
-  
-    
-      
-        Oracle Linux 9
-        oval:mil.disa.stig.ol9os:def:1
-      
-    
-  
-  
-    
-      accepted
-      Oracle Linux 9 STIG SCAP Benchmark
-      This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
-      
-      
-      
-      
-        DISA
-        STIG.DOD.MIL
-      
-      Benchmark Date: 29 Oct 2025
-      3.5.1
-      1.10.0
-      
-        
-          Linux with BIND installed
-          
-            
-          
-        
-        
-          Gnome-shell Package
-          
-            
-          
-        
-        
-          Linux UEFI Boot
-          
-            
-          
-        
-        
-          Linux with NFS mounts configured
-          
-            
-          
-        
-        
-          Linux with Libreswan installed
-          
-            
-          
-        
-        
-          Linux IPv6 Enabled
-          
-            
-          
-        
-        
-          Linux with postfix installed
-          
-            
-          
-        
-        
-          Linux with autofs installed
-          
-            
-          
-        
-      
-      
-      001.001
-      
-        DISA
-        DISA
-        DISA
-        STIG.DOD.MIL
-      
-      
-        I - Mission Critical Classified
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        I - Mission Critical Public
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        I - Mission Critical Sensitive
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        II - Mission Support Classified
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        II - Mission Support Public
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        II - Mission Support Sensitive
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        III - Administrative Classified
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        III - Administrative Public
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        III - Administrative Sensitive
-        <ProfileDescription></ProfileDescription>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        Disable Slow Rules
-        This profile disables rules known to have poor performance in some environments, such as systems with large numbers of user accounts.
-        
-        
-      
-      
-        CAT I Only
-        This profile only includes rules that are Severity Category I.
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-      
-      
-        SRG-OS-000341-GPOS-00132
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000002
-          OL 9 must use a separate file system for the system audit data path.
-          <VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001849
-          Migrate the system audit data path onto a separate file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000003
-          OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
-          <VulnDiscussion>Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Migrate the "/home" directory onto a separate file system/partition.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000004
-          OL 9 must use a separate file system for /tmp.
-          <VulnDiscussion>The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Migrate the "/tmp" path onto a separate file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000005
-          OL 9 must use a separate file system for /var.
-          <VulnDiscussion>Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Migrate the "/var" path onto a separate file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000006
-          OL 9 must use a separate file system for /var/log.
-          <VulnDiscussion>Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Migrate the "/var/log" path onto a separate file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000007
-          OL 9 must use a separate file system for /var/tmp.
-          <VulnDiscussion>The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Migrate the "/var/tmp" path onto a separate file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000439-GPOS-00195
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000010
-          OL 9 must be a vendor supported release.
-          <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
-
-Oracle offers Oracle Linux Premier Support, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002605
-          Upgrade OL 9 to a supported version.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000020
-          OL 9 must be configured so that the graphical display manager is not the default target unless approved.
-          <VulnDiscussion>Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to boot to the command line.
-
-Set the default target to multi-user with the following command:
-$ sudo systemctl set-default multi-user.target
-
-If there is an operational requirement for a graphical user interface, document it with the ISSO.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000080-GPOS-00048
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000025
-          OL 9 must require authentication to access emergency mode.
-          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000213
-          Configure OL 9 to require authentication for emergency mode.
-
-Add or modify the following line in the "/usr/lib/systemd/system/emergency.service" file:
-
-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000080-GPOS-00048
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000030
-          OL 9 must require authentication to access single-user mode.
-          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000213
-          Configure OL 9 to require authentication for single-user mode.
-
-Add or modify the following line in the "/usr/lib/systemd/system/rescue.service" file:
-
-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000040
-          OL 9 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module.
-          <VulnDiscussion>Disabling ATM protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the atm kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/atm.conf (or create atm.conf if it does not exist):
-
-install atm /bin/false
-blacklist atm
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000041
-          OL 9 must be configured to disable the Controller Area Network (CAN) kernel module.
-          <VulnDiscussion>Disabling CAN protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the can kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/can.conf (or create atm.conf if it does not exist):
-
-install can /bin/false
-blacklist can
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000042
-          OL 9 must be configured to disable the FireWire kernel module.
-          <VulnDiscussion>Disabling firewire protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the firewire-core kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/firewire-core.conf (or create firewire-core.conf if it does not exist):
-
-install firewire-core /bin/true
-blacklist firewire-core
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000043
-          OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Failing to disconnect unused protocols can result in a system compromise.
-
-The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the sctp kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/sctp.conf (or create sctp.conf if it does not exist):
-
-install sctp/bin/false
-blacklist sctp
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000044
-          OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Failing to disconnect unused protocols can result in a system compromise.
-
-The TIPC is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free, and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the tipc kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):
-
-install tipc /bin/false
-blacklist tipc
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000045
-          OL 9 must disable mounting of cramfs.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Removing support for unneeded filesystem types reduces the local attack surface of the server.
-
-Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Configure OL 9 to prevent the cramfs kernel module from being loaded. 
-
-Add the following line to the file /etc/modprobe.d/cramfs.conf (or create blacklist.conf if it does not exist):
-
-install cramfs /bin/false
-blacklist cramfs
-
-Reboot the system for the settings to take effect.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000046
-          OL 9 Bluetooth must be disabled.
-          <VulnDiscussion>This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
-
-Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          CCI-001443
-          Configure OL 9 to disable the Bluetooth adapter when not in use.
-
-Create or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:
-
-install bluetooth /bin/false
-blacklist bluetooth
-
-Reboot the system for the settings to take effect.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000114-GPOS-00059
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000047
-          OL 9 must be configured to disable USB mass storage.
-          <VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
-
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000778
-          CCI-001958
-          Configure OL 9 to prevent the usb-storage kernel module from being loaded.
-
-Add the following line to the file /etc/modprobe.d/usb-storage.conf (or create usb-storage.conf if it does not exist):
-
-install usb-storage /bin/false
-blacklist usb-storage
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000445-GPOS-00199
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000060
-          OL 9 must use a Linux Security Module configured to enforce limits on system services.
-          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
-
-Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002696
-          CCI-001084
-          Configure OL 9 to verify correct operation of security functions.
-
-Edit the file "/etc/selinux/config" and add or modify the following line:
-
- SELINUX=enforcing 
-
-A reboot is required for the changes to take effect.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000445-GPOS-00199
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000065
-          OL 9 must enable the SELinux targeted policy.
-          <VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
-
-Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002696
-          Configure OL 9 to use the targetd SELINUX policy.
-
-Edit the file "/etc/selinux/config" and add or modify the following line:
-
- SELINUXTYPE=targeted 
-
-A reboot is required for the changes to take effect.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000033-GPOS-00014
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000070
-          OL 9 must enable FIPS mode.
-          <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
-
-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000068
-          CCI-000877
-          CCI-002450
-          CCI-002418
-          Configure OL 9 to implement FIPS mode with the following command:
-
-$ sudo fips-mode-setup --enable
-
-Reboot the system for the changes to take effect.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000100
-          OL 9 must not have the nfs-utils package installed.
-          <VulnDiscussion>"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the nfs-utils package with the following command:
-
-$ sudo dnf remove nfs-utils
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000110
-          OL 9 must not have the telnet-server package installed.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
-
-The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
-
-Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the telnet-server package with the following command:
-
-$ sudo dnf remove telnet-server
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000115
-          OL 9 must not have the gssproxy package installed.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the gssproxy package with the following command:
-
-$ sudo dnf remove gssproxy
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000120
-          OL 9 must not have the iprutils package installed.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the iprutils package with the following command:
-
-$ sudo dnf remove iprutils
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000125
-          OL 9 must not have the tuned package installed.
-          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the tuned package with the following command:
-
-$ sudo dnf remove tuned
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000074-GPOS-00042
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000130
-          OL 9 must not have a File Transfer Protocol (FTP) server package installed.
-          <VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
-
-Removing the "vsftpd" package decreases the risk of accidental activation.
-
-Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000197
-          CCI-000381
-          Remove the ftp package can be removed with the following command (using vsftpd as an example):
-
-$ sudo dnf remove vsftpd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000135
-          OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
-          <VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove the tftp package can be removed with the following command:
-
-$ sudo dnf remove tftp
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000140
-          OL 9 must not have the quagga package installed.
-          <VulnDiscussion>Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms.
-
-If there is no need to make the router software available, removing it provides a safeguard against its activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove the quagga package with the following command:
-
-$ sudo dnf remove quagga
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000145
-          OL 9 must not have a graphical display manager installed unless approved.
-          <VulnDiscussion>Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000382
-          Remove all xorg packages with the following command:
-
-Warning: If accessing the system through the graphical user interface, change to the multi-user.target with the following command:
-
-$ sudo systemctl isolate multi-user.target
-
-Warning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface.
-
-$ sudo dnf remove "xorg*"
-$ sudo systemctl set-default multi-user.target
-
-If there is an operational requirement for a graphical user interface it must be documented with the ISSO.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000095-GPOS-00049
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000150
-          OL 9 must not have the sendmail package installed.
-          <VulnDiscussion>The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000381
-          Remove the sendmail package with the following command:
-
-$ sudo dnf remove sendmail
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000134-GPOS-00068
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000200
-          OL 9 must have policycoreutils package installed.
-          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001084
-          Install the policycoreutils package with the following command:
- 
-$ sudo dnf install -y policycoreutils
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000210
-          OL 9 policycoreutils-python-utils package must be installed.
-          <VulnDiscussion>The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the policycoreutils-python-utils service package (if the policycoreutils-python-utils service is not already installed) with the following command:
-
-$ sudo dnf install -y policycoreutils-python-utils
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000096-GPOS-00050
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000220
-          OL 9 must have the firewalld package installed.
-          <VulnDiscussion>Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-OL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
-
-Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000382
-          CCI-002314
-          CCI-002322
-          Install the firewalld package with the following command:
-
-$ sudo dnf install -y firewalld
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000096-GPOS-00050
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000221
-          OL 9 must be configured so that the firewalld service is active.
-          <VulnDiscussion>Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-OL 9 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
-
-Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000382
-          CCI-002314
-          Enable the firewalld service with the following command:
-
-$ sudo systemctl enable --now firewalld
-
-Note: If firewalld is masked, run following command:
-
-sudo systemctl unmask firewalld
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000324-GPOS-00125
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000230
-          OL 9 must have the sudo package installed.
-          <VulnDiscussion>sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to complete their work.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002235
-          The sudo package can be installed with the following command:
-
-# dnf install -y sudo
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000231
-          OL 9 must use the invoking user's password for privilege escalation when using sudo.
-          <VulnDiscussion>If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to use the invoking user's password for privilege escalation when using sudo. 
-
-Define the following in the Defaults section of the /etc/sudoers file or a single configuration file in the /etc/sudoers.d/ directory:
-
-Defaults !targetpw
-Defaults !rootpw
-Defaults !runaspw
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000232
-          OL 9 must restrict privilege elevation to authorized personnel.
-          <VulnDiscussion>If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove the following entries from the /etc/sudoers file or configuration file under /etc/sudoers.d/:
-
-ALL     ALL=(ALL) ALL
-ALL     ALL=(ALL:ALL) ALL
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000396-GPOS-00176
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000240
-          OL 9 must have the crypto-policies package installed.
-          <VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
-
-Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002450
-          CCI-002890
-          CCI-003123
-          Install the crypto-policies package (if not already installed) with the following command:
-
-$ sudo dnf install -y crypto-policies
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000423-GPOS-00187
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000250
-          OL 9 networked systems must have SSH installed.
-          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002418
-          CCI-002421
-          CCI-002420
-          CCI-002422
-          The openssh-server package can be installed with the following command:
- 
-$ sudo dnf install -y openssh-server
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000423-GPOS-00187
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000251
-          OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
-          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002418
-          CCI-002421
-          CCI-002420
-          CCI-002422
-          Enable the sshd service with the following command:
-
-$ systemctl enable --now sshd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000250-GPOS-00093
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000252
-          The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001453
-          Configure the OL 9 SSH daemon to use systemwide cryptographic policies by running the following commands:
-
-$ sudo dnf reinstall -y openssh-server
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000250-GPOS-00093
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000254
-          OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001453
-          Configure the OL 9 SSH server to use only ciphers employing FIPS 140-3 approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000250-GPOS-00093
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000255
-          OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001453
-          Configure the OL 9 SSH server to use only MACs employing FIPS 140-3 approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000023-GPOS-00006
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000256
-          OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
-          <VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
-
-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000048
-          CCI-001384
-          CCI-001385
-          CCI-001386
-          CCI-001387
-          CCI-001388
-          Configure OL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh.
-
-Edit the "etc/ssh/sshd_config" file or a file in "/etc/ssh/sshd_config.d" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
-
-An example configuration line is:
-
-Banner /etc/issue
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000260
-          OL 9 must have the openssh-clients package installed.
-          <VulnDiscussion>This package includes utilities to make encrypted connections and transfer files securely to SSH servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the openssh-clients package with the following command:
- 
-$ sudo dnf install -y openssh-clients
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000250-GPOS-00093
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000261
-          OL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001453
-          Configure the SSH client to use only ciphers employing FIPS 140-3 approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000250-GPOS-00093
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000262
-          OL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001453
-          Configure the SSH client to use only MACs employing FIPS 140-3 approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000105-GPOS-00052
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000270
-          OL 9 must have the openssl-pkcs11 package installed.
-          <VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
-
-Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000765
-          CCI-004046
-          CCI-001953
-          CCI-001954
-          Install the openssl-pkcs11 package with the following command:
- 
-$ sudo dnf install -y openssl-pkcs11
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000705-GPOS-00150
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000285
-          OL 9 must have the SSSD package installed.
-          <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
- 
-Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
- 
-A privileged account is defined as an information system account with authorizations of a privileged user. 
- 
-Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. 
- 
-This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
-
-Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          CCI-004047
-          CCI-000765
-          CCI-000766
-          Install the SSSD package with the following command:
-
-$ sudo dnf install -y sssd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000705-GPOS-00150
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000286
-          OL 9 must use the SSSD package for multifactor authentication services.
-          <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
- 
-Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
- 
-A privileged account is defined as an information system account with authorizations of a privileged user. 
- 
-Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. 
- 
-Multifactor authentication requires using two or more factors to achieve authentication. 
- 
-Factors include:  
-1) Something a user knows (e.g., password/PIN); 
-2) Something a user has (e.g., cryptographic identification device, token); and 
-3) Something a user is (e.g., biometric). 
- 
-A privileged account is defined as an information system account with authorizations of a privileged user. 
- 
-Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). 
- 
-The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.
-
-Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00161</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          CCI-004047
-          CCI-000765
-          CCI-000767
-          Configure the sssd.service to start automatically on reboot with the following command: 
- 
-$ sudo systemctl enable sssd.service 
- 
-Ensure the sssd service is running: 
- 
-$ sudo systemctl start sssd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000363-GPOS-00150
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000290
-          OL 9 must have the s-nail package installed.
-          <VulnDiscussion>The s-nail package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001744
-          Install the s-nail package with the following command:
-
-$ sudo dnf install -y s-nail
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000363-GPOS-00150
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000300
-          OL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
-          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001744
-          CCI-002696
-          Install AIDE, initialize it, and perform a manual check.
-
-Install AIDE:
-
-$ sudo dnf install -y aide
-
-Initialize AIDE:
-     
-$ sudo /usr/sbin/aide --init
-
-Example output:
-
-Start timestamp: 2023-06-05 10:09:04 -0600 (AIDE 0.16)
-AIDE initialized database at /var/lib/aide/aide.db.new.gz
-
-Number of entries:      86833
-
----------------------------------------------------
-The attributes of the (uncompressed) database(s):
----------------------------------------------------
-
-/var/lib/aide/aide.db.new.gz
-  MD5      : coZUtPHhoFoeD7+k54fUvQ==
-  SHA1     : DVpOEMWJwo0uPgrKZAygIUgSxeM=
-  SHA256   : EQiZH0XNEk001tcDmJa+5STFEjDb4MPE
-             TGdBJ/uvZKc=
-  SHA512   : 86KUqw++PZhoPK0SZvT3zuFq9yu9nnPP
-             toei0nENVELJ1LPurjoMlRig6q69VR8l
-             +44EwO9eYyy9nnbzQsfG1g==
-
-End timestamp: 2023-06-05 10:09:57 -0600 (run time: 0m 53s)
-
-The new database will need to be renamed to be read by AIDE:
-
-$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-Perform a manual check:
-
-$ sudo /usr/sbin/aide --check
-
-Example output:
-
-2023-06-05 10:16:08 -0600 (AIDE 0.16)
-AIDE found NO differences between database and filesystem. Looks okay!!
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000355-GPOS-00143
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000310
-          OL 9 must have the chrony package installed.
-          <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004923
-          Install the chrony package with the following command:
- 
-$ sudo dnf install -y chrony
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000355-GPOS-00143
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000311
-          OL 9 must enable the chronyd service.
-          <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-
-Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004923
-          Enable the chronyd service with the following command:
-
-$ sudo systemctl enable --now chronyd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000378-GPOS-00163
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000320
-          OL 9 must have the USBGuard package installed.
-          <VulnDiscussion>The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
-
-The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001958
-          Install the usbguard package with the following command:
-
-$ sudo dnf install -y usbguard
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000378-GPOS-00163
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000321
-          OL 9 must enable the USBGuard package.
-          <VulnDiscussion>The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
-
-The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001958
-          Enable the USBGuard service with the following command:
-
-$ sudo systemctl enable --now usbguard
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000366-GPOS-00153
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000330
-          OL 9 must have the subscription-manager package installed.
-          <VulnDiscussion>Oracle Linux Manager, based on the Spacewalk open source software, helps automate Oracle Linux systems management. This enables users to control the system software life cycle from initial installation through maintenance, software configuration, upgrades, and eventual decommissioning. Oracle Linux Manager also helps automate a kickstart installation, system configuration, and maintenance tasks, which enables rapid deployment of proven and consistent software configurations for Oracle Linux systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003992
-          Install the oracle-linux-manager package with the following command:
- 
-$ sudo dnf install -y oracle-linux-manager-client-release-el9
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000370-GPOS-00155
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000340
-          OL 9 must have the fapolicy module installed.
-          <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
-
-Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
-
-User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
-
-OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
-
-Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
-
-Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001774
-          CCI-001764
-          Install the fapolicyd package with the following command:
- 
-$ sudo dnf install -y fapolicyd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000370-GPOS-00155
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000341
-          OL 9 must enable the fapolicy module.
-          <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
-
-Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
-
-User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
-
-OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
-
-Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
-
-Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001774
-          CCI-001764
-          Enable the fapolicyd service with the following command:
-
-$ sudo systemctl enable --now fapolicyd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000479-GPOS-00224
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000350
-          OL 9 must have the rsyslog package installed.
-          <VulnDiscussion>rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing.
-
-Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          CCI-000154
-          The rsyslogd package can be installed with the following command:
- 
-$ sudo dnf install -y rsyslogd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000351
-          OL 9 must be configured so that the rsyslog service is active.
-          <VulnDiscussion>The rsyslog service must be running to provide logging services, which are essential to system administration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Enable the rsyslog service with the following command:
-
-$ sudo systemctl enable --now rsyslog
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000120-GPOS-00061
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000355
-          OL 9 must have the packages required for encrypting offloaded audit logs installed.
-          <VulnDiscussion>The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000803
-          Install the rsyslog-gnutls package with the following command:
- 
-$ sudo dnf install -y rsyslog-gnutls
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000360
-          OL 9 must enable the hardware random number generator entropy gatherer service.
-          <VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
-
-The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the rng-tools package with the following command:
-
-$ sudo dnf install -y rng-tools
-
-Enable the rngd service run the following command:
-
-$ sudo systemctl enable --now rngd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000370
-          OL 9 must have the rng-tools package installed.
-          <VulnDiscussion>rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the rng-tools package with the following command:
- 
-$ sudo dnf install -y rng-tools
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000380
-          OL 9 must have the nss-tools package installed.
-          <VulnDiscussion>Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the nss-tools package with the following command:
- 
-$ sudo dnf install -y nss-tools
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000375-GPOS-00160
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000390
-          OL 9 must have the pcsc-lite package installed.
-          <VulnDiscussion>The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          Install the pcsc-lite package with the following command:
- 
-$ sudo dnf install -y pcsc-lite
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000375-GPOS-00160
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000400
-          OL 9 must have the opensc package installed.
-          <VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
-
-The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
-
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          CCI-001953
-          Install the opensc package with the following command:
- 
-$ sudo dnf install -y opensc
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000375-GPOS-00160
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000401
-          OL 9 must be configured so that the pcscd service is active.
-          <VulnDiscussion>The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
-
-The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          Enable the pcscd service with the following command:
-
-$ sudo systemctl enable --now pcscd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000120-GPOS-00061
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000410
-          OL 9 must have the libreswan package installed.
-          <VulnDiscussion>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000803
-          Install the libreswan service (if it is not already installed) with the following command:
-
-$ sudo dnf install -y libreswan
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000430
-          OL 9 must have the gnutls-utils package installed.
-          <VulnDiscussion>GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Install the gnutls-utils package with the following command:
- 
-$ sudo dnf install -y gnutls-utils
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000440
-          OL 9 must have the audit package installed.
-          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured OL 9 system.
-
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          CCI-000130
-          CCI-000131
-          CCI-000132
-          CCI-000133
-          CCI-000134
-          CCI-000135
-          CCI-000154
-          CCI-000158
-          CCI-001876
-          CCI-001464
-          CCI-001487
-          CCI-001914
-          CCI-001875
-          CCI-001877
-          CCI-001878
-          CCI-001879
-          CCI-001880
-          CCI-001881
-          CCI-001882
-          CCI-001889
-          CCI-003938
-          CCI-002884
-          CCI-000172
-          CCI-000159
-          Install the audit service package (if the audit service is not already installed) with the following command:
-
-$ sudo dnf install -y audit
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000441
-          OL 9 audit service must be enabled.
-          <VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          CCI-000130
-          CCI-000131
-          CCI-000132
-          CCI-000133
-          CCI-000134
-          CCI-000135
-          CCI-000154
-          CCI-000158
-          CCI-001876
-          CCI-001464
-          CCI-001487
-          CCI-001914
-          CCI-001875
-          CCI-001877
-          CCI-001878
-          CCI-001879
-          CCI-001880
-          CCI-001881
-          CCI-001882
-          CCI-001889
-          CCI-003938
-          CCI-002884
-          CCI-000172
-          Enable the auditd service with the following command:
-
-$ sudo systemctl enable --now auditd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000450
-          OL 9 must have the audispd-plugins package installed.
-          <VulnDiscussion>audispd-plugins provides plug-ins for the real-time interface to the audit subsystem, audispd. These plug-ins can do things like relay events to remote machines or analyze events for suspicious behavior.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          The audispd-plugins package can be installed with the following command:
- 
-$ sudo dnf install -y audispd-plugins
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000437-GPOS-00194
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000495
-          OL 9 must remove all software components after updated versions have been installed.
-          <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002617
-          Configure OL 9 to remove all software components after updated versions have been installed.
-
-Edit the file /etc/dnf/dnf.conf by adding or editing the following line:
-
- clean_requirements_on_remove=1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000366-GPOS-00153
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000496
-          OL 9 must check the GPG signature of locally installed software packages before installation.
-          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003992
-          Configure dnf to always check the GPG signature of local software packages before installation.
-
-Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:
-
-localpkg_gpgcheck=1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000366-GPOS-00153
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000497
-          OL 9 must check the GPG signature of software packages originating from external software repositories before installation.
-          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003992
-          Configure dnf to always check the GPG signature of software packages originating from external software repositories before installation.
-
-Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:
-
-gpgcheck=1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000366-GPOS-00153
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000498
-          OL 9 must have GPG signature verification enabled for all software repositories.
-          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003992
-          Configure all software repositories defined in "/etc/yum.repos.d/" to have "gpgcheck" enabled:
-
-$ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000500
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
-          <VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/sudoers -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000505
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
-          <VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/sudoers.d/ -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000510
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
-          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/group -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000515
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
-          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/gshadow -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000520
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
-          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/security/opasswd -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000525
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
-          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/passwd -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000004-GPOS-00004
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000530
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000018
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000015
-          CCI-002884
-          CCI-000172
-          CCI-001403
-          CCI-001404
-          CCI-001405
-          CCI-002130
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /etc/shadow -p wa -k identity
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000535
-          OL 9 must audit all uses of the unix_update command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000172
-          CCI-002884
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the "unix_update" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000540
-          OL 9 must audit all uses of the su command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000172
-          CCI-002884
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the su command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000545
-          OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to audit the execution of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-
--a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
--a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000550
-          OL 9 must audit all uses of the chage command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chage command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000555
-          OL 9 must audit all uses of the chcon command.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chcon command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000560
-          OL 9 must audit all uses of the setfacl command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the setfacl command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000565
-          OL 9 must audit all uses of the chsh command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chsh command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000570
-          OL 9 must audit all uses of the crontab command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the crontab command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000575
-          OL 9 must audit all uses of the gpasswd command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the gpasswd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000580
-          OL 9 must audit all uses of the newgrp command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the newgrp command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000585
-          OL 9 must audit all uses of the pam_timestamp_check command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the pam_timestamp_check command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000590
-          OL 9 must audit all uses of the passwd command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the passwd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000595
-          OL 9 must audit all uses of the postdrop command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the postdrop command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000600
-          OL 9 must audit all uses of the postqueue command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the postqueue command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000605
-          OL 9 must audit all uses of the ssh-agent command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the ssh-agent command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000610
-          OL 9 must audit all uses of the ssh-keysign command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the ssh-keysign command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000615
-          OL 9 must audit all uses of the sudoedit command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the sudoedit command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000620
-          OL 9 must audit all uses of the unix_chkpwd command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the unix_chkpwd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000625
-          OL 9 must audit all uses of the userhelper command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the userhelper command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000630
-          OL 9 must audit all uses of the mount command.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the mount command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000635
-          OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
--a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
-
--a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
--a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000640
-          OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chmod, fchmod, and fchmodat system calls.
-
-Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000645
-          OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chown, fchown, fchownat, and lchown system calls.
-
-Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000650
-          OL 9 must audit all uses of the semanage command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the semanage command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000655
-          OL 9 must audit all uses of the setfiles command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the setfiles command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000660
-          OL 9 must audit all uses of the setsebool command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the setsebool command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged 
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000665
-          OL 9 must audit all uses of the chacl command.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chacl command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000670
-          OL 9 must audit all uses of the sudo command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the sudo command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000675
-          OL 9 must audit all uses of the usermod command.
-          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the usermod command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000680
-          OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the rename, unlink, rmdir, renameat, and unlinkat system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
--a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000685
-          OL 9 must audit all uses of the delete_module system call.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the delete_module system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
--a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000690
-          OL 9 must audit all uses of the init_module and finit_module system calls.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the init_module and finit_module system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
--a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000695
-          OL 9 must audit all uses of the kmod command.
-          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the kmod command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000700
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /var/log/lastlog -p wa -k logins
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000705
-          OL 9 must audit all uses of umount system calls.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the umount command by adding or updating the following rules in "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000256-GPOS-00097
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000710
-          OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
-          <VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
-
-Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
-
-It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.
-
-To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
-
-Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001493
-          CCI-001494
-          CCI-001495
-          CCI-001496
-          Configure OL 9 to protect the integrity of the audit tools.
-
-Add or update the following lines to /etc/aide.conf:
- 
-/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000326-GPOS-00126
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000715
-          OL 9 must audit uses of the execve system call.
-          <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
-
-Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-OS-000755-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002233
-          CCI-002234
-          CCI-004188
-          Configure OL 9 to audit the execution of the execve system call.
-
-Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
-
--a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv 
--a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
--a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv 
--a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv 
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-
-Note: Users must reboot to view above results with command "auditctl -l | grep execve".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000392-GPOS-00172
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000720
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /var/log/faillock -p wa -k logins
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000392-GPOS-00172
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000725
-          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
-          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002884
-          CCI-000172
-          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
-
-Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
--w /var/log/tallylog -p wa -k logins
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000477-GPOS-00222
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000730
-          OL 9 must be configured so that successful/unsuccessful uses of the init command generate an audit record.
-          <VulnDiscussion>Misuse of the init command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the init command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000477-GPOS-00222
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000735
-          OL 9 must be configured so that successful/unsuccessful uses of the poweroff command generate an audit record.
-          <VulnDiscussion>Misuse of the poweroff command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the poweroff command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000477-GPOS-00222
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000740
-          OL 9 must be configured so that successful/unsuccessful uses of the reboot command generate an audit record.
-          <VulnDiscussion>Misuse of the reboot command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the reboot command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000477-GPOS-00222
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000745
-          OL 9 must be configured so that successful/unsuccessful uses of the shutdown command generate an audit record.
-          <VulnDiscussion>Misuse of the shutdown command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the shutdown command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
-
--a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000750
-          OL 9 must enable auditing of processes that start prior to the audit daemon.
-          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          CCI-001464
-          Enable auditing of processes that start prior to the audit daemon with the following command:
-
-$ sudo grubby --update-kernel=ALL --args="audit=1"
-
-Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
-
-GRUB_CMDLINE_LINUX="audit=1"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000039-GPOS-00017
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000755
-          OL 9 must label all offloaded audit logs before sending them to the central log server.
-          <VulnDiscussion>Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
-
-When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
-
-Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000132
-          CCI-001851
-          Configure OL 9 to label all offloaded audit logs before sending them to the central log server.
-
-Edit the /etc/audit/auditd.conf file and add or update the "name_format" option:
-
-name_format = hostname
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000760
-          OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
-          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          Configure OL 9 to shut down by default upon audit failure (unless availability is an overriding concern).
-
-Add or update the following line (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:
-
-disk_error_action = HALT
-
-If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000765
-          OL 9 audit system must take appropriate action when the audit storage volume is full.
-          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          Configure OL 9 to shut down by default upon audit failure (unless availability is an overriding concern).
-
-Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:
-
-disk_full_action = HALT
-
-If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000770
-          OL 9 audit system must take appropriate action when the audit files have reached maximum size.
-          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          Configure OL 9 to rotate the audit log when it reaches maximum size.
-
-Add or update the following line in "/etc/audit/auditd.conf" file:
-
-max_log_file_action = ROTATE
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000051-GPOS-00024
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000775
-          OL 9 must periodically flush audit records to disk to prevent the loss of audit records.
-          <VulnDiscussion>If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000154
-          Configure OL 9 to flush audit to disk by adding or updating the following configuration in "/etc/audit/auditd.conf":
-
-freq = 100
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000057-GPOS-00027
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000785
-          OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
-          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000162
-          CCI-000163
-          CCI-000164
-          CCI-001314
-          Configure OL 9 audit logs to be group-owned by "root" or a restricted logging group.
-
-Change the group of the directory of "/var/log/audit" to be owned by a correct group.
-
-Identify the group that is configured to own audit log:
-
-$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf
-
-Change the ownership to that group:
-
-$ sudo chgrp ${GROUP} /var/log/audit
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000057-GPOS-00027
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000790
-          OL 9 audit log directory must be owned by root to prevent unauthorized read access.
-          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000162
-          CCI-000163
-          CCI-000164
-          CCI-001314
-          Configure OL 9 to protect the audit log from unauthorized read access by setting the correct owner as "root" with the following command:
-
-$ sudo chown root /var/log/audit
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000057-GPOS-00027
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000795
-          OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-
-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000162
-          CCI-000163
-          CCI-000164
-          CCI-001314
-          Configure the audit logs to have a mode of "0600" with the following command:
-
-Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
-
-$ sudo chmod 0600 /var/log/audit/[audit_log_file]
-
-Check the group that owns the system audit logs:
-
-$ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf
-
-If the log_group is not defined or it is set to root, configure the permissions the following way:
-
-$ sudo chmod 0640 $log_file
-$ sudo chmod 0440 $log_file.*
-
-Otherwise, configure the permissions the following way:
-
-$ sudo chmod 0600 $log_file
-$ sudo chmod 0400 $log_file.*
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000800
-          OL 9 audit system must audit local events.
-          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-If option "local_events" isn't set to "yes" only events from network will be aggregated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          Configure OL 9 to generate audit records for local events by adding or updating the following line in "/etc/audit/auditd.conf":
-
-local_events = yes 
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000063-GPOS-00032
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000805
-          OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
-          <VulnDiscussion>Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000171
-          Configure the files in directory "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file to have a mode of "0640" with the following commands:
-
-$ sudo chmod 0640 /etc/audit/rules.d/audit.rules
-$ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules
-$ sudo chmod 0640 /etc/audit/auditd.conf
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000063-GPOS-00032
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000810
-          OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000171
-          Configure the /etc/audit/auditd.conf file to have a mode of 0640 with the command:
-
-$ sudo chmod 0640 /etc/audit/auditd.conf
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000046-GPOS-00022
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000815
-          OL 9 must forward mail from postmaster to the root account using a postfix alias.
-          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000139
-          Configure a valid email address as an alias for the root account.
-
-Append the following line to "/etc/aliases":
-
-postmaster: root
-
-Then, run the following command:
-
-$ sudo newaliases
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000046-GPOS-00022
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000820
-          OL 9 must take appropriate action when a critical audit processing failure occurs.
-          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-
-Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00135</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000139
-          CCI-000140
-          Configure OL 9 to shut down when auditing failures occur.
-
-Add the following line to the bottom of the /etc/audit/audit.rules file:
-
--f 2
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000046-GPOS-00022
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000825
-          The OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
-          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-
-This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
-
-Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000139
-          CCI-001855
-          Configure the auditd service to notify the SA and ISSO in the event of an audit processing failure.
-
-Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
-
-action_mail_acct = root
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000254-GPOS-00095
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000830
-          OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
-          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.
-
-Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001464
-          CCI-001849
-          Configure OL 9 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
-
-$ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000255-GPOS-00096
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000835
-          OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
-          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001487
-          Configure OL 9 to produce audit records containing information to establish the identity of any individual or process associated with the event.
-
-Edit the /etc/audit/auditd.conf file and add or update the "log_format" option:
-
-log_format = ENRICHED
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000840
-          OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.
-          <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
-
--a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000845
-          OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.
-          <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
-
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000169
-          CCI-002884
-          CCI-000172
-          Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount2 system call by adding the following rules to a rules file in /etc/audit/rules.d/ directory: (Example /etc/audit/rules.d/audit.rules)
-
--a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
-
-The audit daemon must be restarted for the changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000341-GPOS-00132
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000850
-          OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
-          <VulnDiscussion>To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
-
-The task of allocating audit record storage capacity is usually performed during initial installation of OL 9.
-
-Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001849
-          CCI-001851
-          Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
-
-If audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records.
-
-If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000855
-          OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
-          <VulnDiscussion>The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
-
-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to offload audit records onto a different system from the system being audited via syslog.
-
-Edit the /etc/audit/plugins.d/syslog.conf file and add or update the "active" option:
-
-active = yes
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000860
-          OL 9 must take appropriate action when the internal event queue is full.
-          <VulnDiscussion>The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-Offloading is a common process in information systems with limited audit storage capacity.
-
-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to take appropriate action when the internal event queue is full.
-
-Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option:
-
-overflow_action = syslog
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000343-GPOS-00134
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000865
-          OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-          <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001855
-          Configure OL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches (at most) 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file:
-
-space_left  = 25%
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000343-GPOS-00134
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000870
-          OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
-          <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001855
-          Configure OL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches (at most) 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file:
-
-space_left_action = email
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000343-GPOS-00134
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000875
-          OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
-          <VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001855
-          Configure OL 9 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.
-
-admin_space_left  = 5%
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000880
-          OL 9 must write audit records to disk.
-          <VulnDiscussion>Audit data should be synchronously written to disk to ensure log integrity. This setting ensures that all audit event data is written disk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the audit system to write log files to the disk.
-
-Edit the /etc/audit/auditd.conf file and add or update the "write_logs" option to "yes":
-
-write_logs = yes 
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000343-GPOS-00134
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000885
-          OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
-          <VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001855
-          Configure the auditd service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
-
-Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:
-
-admin_space_left_action = single 
-
-The audit daemon must be restarted for changes to take effect.
-
-Restart auditd:
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000375-GPOS-00160
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000925
-          OL 9 must enable certificate-based smart card authentication.
-          <VulnDiscussion>Without the use of multifactor authentication (MFA), the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.
-
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          CCI-000765
-          Configure OL 9 to enable certificate-based smart card authentication.
-
-Edit the file "/etc/sssd/sssd.conf" and add or edit the following line:
-
-pam_cert_auth = True
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000375-GPOS-00160
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000930
-          OL 9 must implement certificate status checking for multifactor authentication (MFA).
-          <VulnDiscussion>Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
-
-Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
-
-OL 9 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function.
-
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004046
-          CCI-001954
-          Configure OL 9 to implement certificate status checking for MFA.
-
-Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification.
-
-Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file:
-
-certificate_verification = ocsp_dgst=sha512
-
-Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands:
-
-$ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf"
-$ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf"
-
-The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-
-$ sudo systemctl restart sssd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000383-GPOS-00166
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000935
-          OL 9 must prohibit the use of cached authenticators after one day.
-          <VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002007
-          Configure the SSSD to prohibit the use of cached authentications after one day.
-
-Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]:
-
-offline_credentials_expiration = 1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000104-GPOS-00051
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-000940
-          OL 9 must use the CAC smart card driver.
-          <VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.
-
-Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000764
-          CCI-000766
-          CCI-000765
-          CCI-004045
-          CCI-001941
-          Configure OL 9 to load the CAC driver.
-
-Add or modify the following line in the "/etc/opensc.conf" file:
-
-card_drivers = cac;
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001000
-          OL 9 must ensure the password complexity module is enabled in the system-auth file.
-          <VulnDiscussion>Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to use "pwquality" to enforce password complexity rules.
-
-Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value):
-
-password required pam_pwquality.so
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000069-GPOS-00037
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001001
-          OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
-
-OL 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
-/etc/pam.d/password-auth
-/etc/pam.d/system-auth
-
-By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to limit the "pwquality" retry option to "3".
-
-Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value):
-
-password required pam_pwquality.so retry=3
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000069-GPOS-00037
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001005
-          OL 9 must enforce password complexity by requiring that at least one uppercase character be used.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce password complexity by requiring that at least one uppercase character is used by setting the "ucredit" option.
-
-Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-
-ucredit = -1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000069-GPOS-00037
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001010
-          OL 9 must ensure the password complexity module is enabled in the password-auth file.
-          <VulnDiscussion>Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
-
-Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to use "pwquality" to enforce password complexity rules.
-
-Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value):
-
-password required pam_pwquality.so
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000070-GPOS-00038
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001015
-          OL 9 must enforce password complexity by requiring that at least one lowercase character be used.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce password complexity by requiring at least one lowercase character is used by setting the "lcredit" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-lcredit = -1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000071-GPOS-00039
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001020
-          OL 9 must enforce password complexity by requiring that at least one numeric character be used.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce password complexity by requiring at least one numeric character is used by setting the "dcredit" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-dcredit = -1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000072-GPOS-00040
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001025
-          OL 9 must require the change of at least eight characters when passwords are changed.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords will not resemble previously compromised ones. Note that passwords changed on compromised systems will still be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-difok = 8
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000072-GPOS-00040
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001030
-          OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
-
-Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
-
-maxclassrepeat = 4
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000072-GPOS-00040
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001035
-          OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-maxrepeat = 3
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000072-GPOS-00040
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001040
-          OL 9 must require the change of at least four character classes when passwords are changed.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-minclass = 4
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000072-GPOS-00040
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001045
-          OL 9 must enforce password complexity rules for the root account.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
-
-Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce password complexity on the root account.
-
-Add or update the following line in /etc/security/pwquality.conf:
-
-enforce_for_root
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001050
-          OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
-          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          Configure OL 9 to use the SHA-512 algorithm for password hashing.
-
-Add or change the following line in the "[default]" section of "/etc/libuser.conf" file:
-
-crypt_style = sha512
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001055
-          OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
-          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          Configure OL 9 to store only SHA-512 encrypted representations of passwords.
-
-Add or update the following line in the "/etc/login.defs" file:
-
-ENCRYPT_METHOD SHA512
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001060
-          OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
-          <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
-
-OL 9 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. 
-
-FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          Configure OL 9 to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
-
-Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so:
-
-password sufficient pam_unix.so sha512
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001065
-          OL 9 password-auth must be configured to use a sufficient number of hashing rounds.
-          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-Using more hashing rounds makes password cracking attacks more difficult.
-
-Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          CCI-000803
-          Configure Oracle Linux 9 to use 100000 hashing rounds for hashing passwords.
-
-Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000".
-
-password sufficient pam_unix.so sha512 rounds=100000
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001070
-          OL 9 system-auth must be configured to use a sufficient number of hashing rounds.
-          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-Using more hashing rounds makes password cracking attacks more difficult.
-
-Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          CCI-000803
-          Configure Oracle Linux 9 to use 100000 hashing rounds for hashing passwords.
-
-Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to 100000.
-
-password sufficient pam_unix.so sha512 rounds=100000'
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001075
-          OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
-          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-Using more hashing rounds makes password cracking attacks more difficult.
-
-Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          CCI-000803
-          Configure OL 9 to encrypt all stored passwords with a strong cryptographic hash.
-
-Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "100000":
-
-SHA_CRYPT_MIN_ROUNDS 100000
-SHA_CRYPT_MAX_ROUNDS 100000
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000073-GPOS-00041
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001080
-          OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
-          <VulnDiscussion>The system must use a strong hashing algorithm to store the password.
-
-Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
-
-Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004062
-          CCI-000803
-          Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
-
-To lock an account:
-
-$ sudo passwd -l [username]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000075-GPOS-00043
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001085
-          OL 9 passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.
-          <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
-
-Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce 24 hours as the minimum password lifetime.
-
-Add the following line in "/etc/login.defs" (or modify the line to have the required value):
-
-PASS_MIN_DAYS 1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000075-GPOS-00043
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001090
-          OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.
-          <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure noncompliant accounts to enforce a 24-hour minimum password lifetime:
-
-$ sudo passwd -n 1 [user]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000076-GPOS-00044
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001095
-          OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
-          <VulnDiscussion>Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
-
-Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce a 60-day maximum password lifetime.
-
-Add or modify the following line in the "/etc/login.defs" file:
-
-PASS_MAX_DAYS 60
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000076-GPOS-00044
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001100
-          OL 9 user account passwords must have a 60-day maximum password lifetime restriction.
-          <VulnDiscussion>Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If OL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 9 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure noncompliant accounts to enforce a 60-day maximum password lifetime restriction.
-
-passwd -x 60 [user]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000078-GPOS-00046
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001105
-          OL 9 passwords must be created with a minimum of 15 characters.
-          <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
-
-OL 9 uses "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
-
-The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, but they will not count toward the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
-
-The DOD minimum password requirement is 15 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce a minimum 15-character password length.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-minlen = 15
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001110
-          OL 9 must not allow blank or null passwords.
-          <VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to prevent logons with empty passwords.
-
-Note: Manual changes to the listed file may be overwritten by the "authselect" program.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000080-GPOS-00048
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001115
-          OL 9 must require a boot loader superuser password.
-          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000213
-          Configure OL 9 to require a grub bootloader password for the grub superuser account.
-
-Generate an encrypted grub2 password for the grub superuser account with the following command:
-
-$ sudo grub2-setpassword
-Enter password:
-Confirm password:
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000266-GPOS-00101
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001120
-          OL 9 must enforce password complexity by requiring that at least one special character be used.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. OL 9 uses "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004066
-          Configure OL 9 to enforce password complexity by requiring at least one special character be used by setting the "ocredit" option.
-
-Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-
-ocredit = -1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00225
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001125
-          OL 9 must prevent the use of dictionary words for passwords.
-          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If OL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to prevent the use of dictionary words for passwords.
-
-Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
-
-dictcheck=1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-001130
-          OL 9 must not have accounts configured with blank or null passwords.
-          <VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 so that all accounts have a password or lock the account with the following commands:
-
-Perform a password reset:
-
-$ sudo passwd [username] 
-
-To lock an account:
-
-$ sudo passwd -l [username]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000114-GPOS-00059
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002000
-          OL 9 file system automount function must be disabled unless required.
-          <VulnDiscussion>An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
-
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000778
-          CCI-001958
-          Configure OL 9 to disable and mask the ability to automount devices.
-
-The autofs service can be disabled and masked with the following command:
-
-$ sudo systemctl mask --now autofs.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002010
-          OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
-          <VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to authenticate the remote mount request more securely.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
-
-Ensure the "sec" option is defined as "krb5p:krb5i:krb5".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002011
-          OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002012
-          OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
-          <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Update each NFS mounted file system to use the "noexec" option on file systems that are being imported via NFS.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002013
-          OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Update each NFS mounted file system to use the "nosuid" option on file systems that are being imported via NFS.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002030
-          OL 9 must mount /boot with the nodev option.
-          <VulnDiscussion>The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /boot with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/boot" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002031
-          OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
-          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot directory.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/boot" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002032
-          OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-001764
-          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002040
-          OL 9 must mount /dev/shm with the nodev option.
-          <VulnDiscussion>The nodev mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /dev/shm with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002041
-          OL 9 must mount /dev/shm with the noexec option.
-          <VulnDiscussion>The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /dev/shm with the noexec option.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002042
-          OL 9 must mount /dev/shm with the nosuid option.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /dev/shm with the nosuid option.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002050
-          OL 9 must mount /tmp with the nodev option.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /tmp with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002051
-          OL 9 must mount /tmp with the noexec option.
-          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /tmp with the noexec option.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002052
-          OL 9 must mount /tmp with the nosuid option.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /tmp with the nosuid option.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002060
-          OL 9 must mount /var with the nodev option.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/var" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002061
-          OL 9 must mount /var/log with the nodev option.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/var/log" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002062
-          OL 9 must mount /var/log with the noexec option.
-          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log with the noexec option.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/var/log" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002063
-          OL 9 must mount /var/log with the nosuid option.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log with the nosuid option.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/var/log" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002064
-          OL 9 must mount /var/log/audit with the nodev option.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log/audit with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002065
-          OL 9 must mount /var/log/audit with the noexec option.
-          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log/audit with the noexec option.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/var/log/audit" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002066
-          OL 9 must mount /var/log/audit with the nosuid option.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/log/audit with the nosuid option.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/var/log/audit" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002067
-          OL 9 must mount /var/tmp with the nodev option.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/tmp with the nodev option.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/var/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002068
-          OL 9 must mount /var/tmp with the noexec option.
-          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/tmp with the noexec option.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/var/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002069
-          OL 9 must mount /var/tmp with the nosuid option.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to mount /var/tmp with the nosuid option.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/var/tmp" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002070
-          OL 9 must prevent device files from being interpreted on file systems that contain user home directories.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to prevent device files from being interpreted on file systems that contain user home directories.
-
-Modify "/etc/fstab" to use the "nodev" option on the "/home" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000368-GPOS-00154
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002071
-          OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
-          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001764
-          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
-
-Modify "/etc/fstab" to use the "nosuid" option on the "/home" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002072
-          OL 9 must prevent code from being executed on file systems that contain user home directories.
-          <VulnDiscussion>The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to prevent code from being executed on file systems that contain user home directories.
-
-Modify "/etc/fstab" to use the "noexec" option on the "/home" directory.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002080
-          OL 9 must prevent special devices on nonroot local partitions.
-          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000114-GPOS-00059
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002100
-          OL 9 must disable the graphical user interface automount function unless required.
-          <VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
-
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000778
-          CCI-001958
-          Configure the GNOME desktop to disable automated mounting of removable media.
-
-The dconf settings can be edited in the /etc/dconf/db/* location.
-
-Update the [org/gnome/desktop/media-handling] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
-
-[org/gnome/desktop/media-handling]
-automount-open=false
-
-Update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000114-GPOS-00059
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002120
-          OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
-          <VulnDiscussion>A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
-
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000778
-          CCI-001958
-          Configure the GNOME desktop to not allow a user to change the setting that disables automated mounting of removable media.
-
-Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
-
-/org/gnome/desktop/media-handling/automount-open
-
-Update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000114-GPOS-00059
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002121
-          OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
-          <VulnDiscussion>Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
-
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000778
-          CCI-001958
-          Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media.
-
-Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
-
-/org/gnome/desktop/media-handling/autorun-never
-
-Update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000023-GPOS-00006
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002122
-          OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
-          <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-
-For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
-
-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000048
-          CCI-001384
-          CCI-001385
-          CCI-001386
-          CCI-001387
-          CCI-001388
-          Configure OL 9 to prevent a user from overriding the banner setting for graphical user interfaces. 
-
-Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following setting to prevent nonprivileged users from modifying it:
-
-/org/gnome/login-screen/banner-message-enable
-
-Run the following command to update the database:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000028-GPOS-00009
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002123
-          OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
-          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-
-The session lock is implemented at the point where session activity can be determined and/or controlled.
-
-Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
-
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000056
-          CCI-000057
-          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
-
-Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-
-Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following setting to prevent nonprivileged users from modifying it:
-
-/org/gnome/desktop/screensaver/lock-enabled
-
-Update the system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000029-GPOS-00010
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002124
-          OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
-          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
-
-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000057
-          CCI-000060
-          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
-
-Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-
-Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following setting to prevent nonprivileged users from modifying it:
-
-/org/gnome/desktop/session/idle-delay
-
-Update the system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000029-GPOS-00010
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002125
-          OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
-          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000057
-          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
-
-Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-
-Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following setting to prevent nonprivileged users from modifying it:
-
-/org/gnome/desktop/screensaver/lock-delay
-
-Update the system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000028-GPOS-00009
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002126
-          OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
-          <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-
-The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000056
-          CCI-000057
-          Configure OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
-
-Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock":
-
-/org/gnome/settings-daemon/peripherals/smartcard/removal-action
-
-Update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002127
-          OL 9 must disable the ability of a user to restart the system from the login screen.
-          <VulnDiscussion>A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to disable a user's ability to restart the system.
-
-Add or update the [org/gnome/settings-daemon/] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
-
-[org/gnome/settings-daemon/peripherals/smartcard]
-disable-restart-buttons='true'
-
-Then update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002128
-          OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
-          <VulnDiscussion>A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to prevent a user from overriding the disable-restart-buttons setting for graphical user interfaces. 
-
-Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following line to prevent nonprivileged users from modifying it:
-
-/org/gnome/login-screen/disable-restart-buttons
-
-Run the following command to update the database:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002129
-          OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
-          <VulnDiscussion>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to disallow the user changing the Ctrl-Alt-Del sequence in the GNOME desktop.
-
-Create a database to container system-wide graphical user logon settings (if it does not already exist) with the following command:
-
-$ sudo touch /etc/dconf/db/local.d/locks/session
-
-Add the following line to the session locks file to prevent nonprivileged users from modifying the Ctrl-Alt-Del setting:
-
-/org/gnome/settings-daemon/plugins/media-keys/logout
-
-Run the following command to update the database:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000023-GPOS-00006
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002150
-          OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
-          <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-
-For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
-
-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000048
-          CCI-001384
-          CCI-001385
-          CCI-001386
-          CCI-001387
-          CCI-001388
-          Configure OL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a graphical user logon.
-
-Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
-
-$ sudo touch /etc/dconf/db/local.d/01-banner-message
-
-Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
-
-[org/gnome/login-screen]
-
-banner-message-enable=true
-
-Run the following command to update the database:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000028-GPOS-00009
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002160
-          OL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.
-          <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-
-The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000056
-          CCI-000057
-          Configure OL 9 to enable a user's session lock until that user reestablishes access using established identification and authentication procedures.
-
-Select or create an authselect profile and incorporate the "with-smartcard-lock-on-removal" feature with the following example:
-
-$ sudo authselect select sssd with-smartcard with-smartcard-lock-on-removal
-
-Alternatively, the dconf settings can be edited in the /etc/dconf/db/* location.
-
-Add or update the [org/gnome/settings-daemon/peripherals/smartcard] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
-
-[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'
-
-Update the dconf system databases:
-
-$ sudo dconf update
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00229
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002161
-          OL 9 must not allow unattended or automatic logon via the graphical user interface.
-          <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure the GNOME desktop display manager to disable automatic login.
-
-Set AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
-
-[daemon]
-AutomaticLoginEnable=false
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002301
-          OL 9 must define default permissions for the bash shell.
-          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to define default permissions for all authenticated users using the bash shell.
-
-Add or edit the lines for the "umask" parameter in the "/etc/bashrc" file to "077":
-
-umask 077
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002302
-          OL 9 must define default permissions for the c shell.
-          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to define default permissions for all authenticated users using the c shell.
-
-Add or edit the lines for the "umask" parameter in the "/etc/csh.cshrc" file to "077":
-
-umask 077
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002303
-          OL 9 must define default permissions for the system default profile.
-          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-
-Add or edit the lines for the "umask" parameter in the "/etc/profile" file to "077":
-
-umask 077
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00228
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002304
-          OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-          <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-
-Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077":
-
-UMASK 077
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000096-GPOS-00050
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002320
-          OL 9 must disable the chrony daemon from acting as a server.
-          <VulnDiscussion>Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
-
-Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000382
-          CCI-000381
-          Configure OL 9 to disable the chrony daemon from acting as a server by adding/modifying the following line in the /etc/chrony.conf file:
-
-port 0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000096-GPOS-00050
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002321
-          OL 9 must disable network management of the chrony daemon.
-          <VulnDiscussion>Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
-
-Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000382
-          CCI-000381
-          Configure OL 9 to disable network management of the chrony daemon by adding/modifying the following line in the /etc/chrony.conf file:
-
-cmdport 0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000062-GPOS-00031
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002330
-          OL 9 must enable Linux audit logging for the USBGuard daemon.
-          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
-
-DOD has defined the list of events for which OL 9 will provide an audit record generation capability as the following:
-
-1. Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
-
-2. Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
-
-3. All account creations, modifications, disabling, and terminations; and 
-
-4. All kernel module load, unload, and restart actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000169
-          Configure OL 9 USBGuard AuditBackend to use the audit system.
-
-Add or edit the following line in /etc/usbguard/usbguard-daemon.conf 
-
-AuditBackend=LinuxAudit
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000032-GPOS-00013
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002340
-          OL 9 must log SSH connection attempts and failures to the server.
-          <VulnDiscussion>SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000067
-          Configure OL 9 to log connection attempts add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
-
-LogLevel VERBOSE
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000364-GPOS-00151
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002341
-          OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
-          <VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001813
-          Configure the SSH daemon to not allow GSSAPI authentication.
-
-Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no":
-
-GSSAPIAuthentication no
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000423-GPOS-00187
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002342
-          OL 9 must force a frequent session key renegotiation for SSH connections to the server.
-          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-Session key regeneration limits the chances of a session key becoming compromised.
-
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002418
-          CCI-000068
-          CCI-002421
-          Configure OL 9 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
-
-RekeyLimit 1G 1h
-
-Restart the SSH daemon for the settings to take effect.
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000106-GPOS-00053
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002343
-          OL 9 SSHD must not allow blank passwords.
-          <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000766
-          Configure OL 9 to prevent SSH users from logging on with blank passwords by editing the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
-
-PermitEmptyPasswords no
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000125-GPOS-00065
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002344
-          OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
-          <VulnDiscussion>When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000877
-          Configure the OL 9 SSHD to use the UsePAM interface by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
-
-UsePAM yes
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000109-GPOS-00056
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002345
-          OL 9 must not permit direct logons to the root account using remote access via SSH.
-          <VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-004045
-          Configure OL 9 to prevent SSH users from logging on directly as root by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
-
-PermitRootLogin no
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000163-GPOS-00072
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002346
-          OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
-          <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-
-Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
-
-OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
-
-Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001133
-          CCI-002361
-          Note: This setting must be applied in conjunction with ClientAliveInterval to function correctly.
-
-Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.
-
-Modify or append the following lines in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
-
-ClientAliveCountMax 1
-
-In order for the changes to take effect, the SSH daemon must be restarted.
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000163-GPOS-00072
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002347
-          OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
-          <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-
-Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
-
-OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, SSHD will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
-
-Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001133
-          CCI-002361
-          CCI-002891
-          Note: This setting must be applied in conjunction with ClientAliveCountMax" setting to function correctly.
-
-Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.
-
-Modify or append the following lines in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
-
-ClientAliveInterval 600
-
-In order for the changes to take effect, the SSH daemon must be restarted.
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002348
-          OL 9 SSH daemon must not allow rhosts authentication.
-          <VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to not allow rhosts authentication.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
-
-IgnoreRhosts yes
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002349
-          OL 9 SSH daemon must not allow known hosts authentication.
-          <VulnDiscussion>Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to not allow known hosts authentication.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
-
-IgnoreUserKnownHosts yes
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002350
-          OL 9 SSH daemon must disable remote X connections for interactive users.
-          <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to not allow X11 forwarding.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no":
-
-X11Forwarding no
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002351
-          OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
-          <VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to perform strict mode checking of home directory configuration files.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
-
-StrictModes yes
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002352
-          OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
-          <VulnDiscussion>Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to provide users with feedback on when account accesses last occurred.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
-
-PrintLastLog yes
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002354
-          OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
-          <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
-
-X11UseLocalhost yes
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002355
-          OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
-          <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the SSH daemon to not allow compression.
-
-Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "delayed" or "no":
-
-Compression no
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000364-GPOS-00151
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002356
-          OL 9 SSH daemon must not allow Kerberos authentication.
-          <VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001813
-          Configure the SSH daemon to not allow Kerberos authentication.
-
-Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no":
-
-KerberosAuthentication no
-
-The SSH service must be restarted for changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00229
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002357
-          OL 9 must not allow a noncertificate trusted host SSH logon to the system.
-          <VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not allow a noncertificate trusted host SSH logon to access the system.
-
-Add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
-
-HostbasedAuthentication no
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00229
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002358
-          OL 9 must not allow users to override SSH environment variables.
-          <VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the OL 9 SSH daemon to not allow unattended or automatic logon to the system.
-
-Add or edit the following line in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
-
-PermitUserEnvironment no
-
-Restart the SSH daemon for the setting to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000105-GPOS-00052
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002359
-          OL 9 SSHD must accept public key authentication.
-          <VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
-
-Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000765
-          CCI-000766
-          Configure OL 9 to accept public key authentication by adding or modifying the following line in "/etc/ssh/sshd_config".
-
-PubkeyAuthentication yes
-
-Restart the SSH daemon for the settings to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002360
-          OL 9 must require reauthentication when using the "sudo" command.
-          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. 
-
-When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command.
-
-If the value is set to an integer less than "0", the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to reauthenticate "sudo" commands after the specified timeout:
-
-Add the following line to "/etc/sudoers":
-
-Defaults timestamp_timeout=0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000312-GPOS-00123
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002361
-          OL 9 must restrict the use of the su command.
-          <VulnDiscussion>The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002165
-          Configure OL 9 to require users to be in the "wheel" group to run su command.
-
-In file "/etc/pam.d/su", uncomment the following line:
-
-"#auth    required    pam_wheel.so use_uid"
-
-Or use the following command to update /etc/pam.d/su 
-
-$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
-
-If necessary, create a "wheel" group and add administrative users to the group.
-
-$ grep wheel /etc/group
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000327-GPOS-00127
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002362
-          OL 9 must require users to reauthenticate for privilege escalation.
-          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002234
-          Configure OL 9 to not allow users to execute privileged actions without authenticating.
-
-Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
-
-$ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000327-GPOS-00127
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002363
-          OL 9 must require users to provide a password for privilege escalation.
-          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002234
-          Configure OL 9 to not allow users to execute privileged actions without authenticating with a password.
-
-Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
-
-$ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000327-GPOS-00127
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002364
-          OL 9 must not be configured to bypass password requirements for privilege escalation.
-          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002234
-          Configure the operating system to require users to supply a password for privilege escalation.
-
-Remove any occurrences of " pam_succeed_if " in the  "/etc/pam.d/sudo" file.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002370
-          OL 9 must disable the use of user namespaces.
-          <VulnDiscussion>User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
-
-Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. 
-
-user.max_user_namespaces = 0
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002380
-          OL 9 must disable the kernel.core_pattern.
-          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to disable storing core dumps.
-
-Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
-
-kernel.core_pattern = |/bin/false
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002381
-          OL 9 must disable core dump backtraces.
-          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
-
-Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the operating system to disable core dump backtraces.
-
-Add or modify the following line in /etc/systemd/coredump.conf:
-
-ProcessSizeMax=0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002382
-          OL 9 must disable storing core dumps.
-          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the operating system to disable storing core dumps for all users.
-
-Add or modify the following line in /etc/systemd/coredump.conf:
-
-Storage=none
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002383
-          OL 9 must disable core dumps for all users.
-          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the operating system to disable core dumps for all users.
-
-Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
-
-* hard core 0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002384
-          OL 9 must disable acquiring, saving, and processing core dumps.
-          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the system to disable the systemd-coredump.socket with the following command:
-
-$ sudo systemctl mask --now systemd-coredump.socket
-
-Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
-
-Reload the daemon for this change to take effect.
-
-$ sudo systemctl daemon-reload
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002385
-          OL 9 must be configured so that the kdump service is disabled.
-          <VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to disable and mask the kdump service.
-
-To disable the kdump service, run the following command:
-
-$ sudo systemctl disable --now kdump
-
-To mask the kdump service, run the following command:
-
-$ sudo systemctl mask --now kdump
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000433-GPOS-00192
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002390
-          OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
-          <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
-
-Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
-
-SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.
-
-Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002824
-          CCI-001084
-          Configure OL 9 to enable poisoning of SLUB/SLAB objects with the following commands:
-
-$ sudo grubby --update-kernel=ALL --args="slub_debug=P"
-
-Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
-
-GRUB_CMDLINE_LINUX="slub_debug=P"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000433-GPOS-00193
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002391
-          OL 9 must enable mitigations against processor-based vulnerabilities.
-          <VulnDiscussion>Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
-
-Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002824
-          CCI-000381
-          Configure OL 9 to enable kernel page-table isolation with the following command:
-
-$ sudo grubby --update-kernel=ALL --args="pti=on"
-
-Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
-
-GRUB_CMDLINE_LINUX="pti=on"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002392
-          OL 9 must disable the ability of systemd to spawn an interactive boot process.
-          <VulnDiscussion>Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to allocate sufficient audit_backlog_limit to disable the ability of systemd to spawn an interactive boot process with the following command:
-
-$ sudo grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000134-GPOS-00068
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002393
-          OL 9 must disable virtual system calls.
-          <VulnDiscussion>System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
-
-Virtual system calls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling virtual system calls help to prevent return-oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on OL 6 components, virtual system calls will have to be enabled so the components function properly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001084
-          Document the use of virtual system calls with the ISSO as an operational requirement or disable them with the following command:
-
-$ sudo grubby --update-kernel=ALL --args="vsyscall=none"
-
-Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
-
-GRUB_CMDLINE_LINUX="vsyscall=none"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000134-GPOS-00068
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002394
-          OL 9 must clear the page allocator to prevent use-after-free attacks.
-          <VulnDiscussion>Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001084
-          Configure OL 9 to enable page poisoning with the following commands:
-
-$ sudo grubby --update-kernel=ALL --args="page_poison=1"
-
-Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
-
-GRUB_CMDLINE_LINUX="page_poison=1"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000269-GPOS-00103
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002400
-          OL 9 systemd-journald service must be enabled.
-          <VulnDiscussion>In the event of a system failure, OL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001665
-          Configure OL 9 to enable the systemd-journald service with the following command:
-
-$ sudo systemctl enable --now systemd-journald
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000312-GPOS-00123
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002401
-          OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
-          <VulnDiscussion>By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
-
-Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002165
-          CCI-002235
-          Configure OL 9 to enable DAC on hardlinks with the following:
-
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
-
-fs.protected_hardlinks = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000312-GPOS-00123
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002402
-          OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
-          <VulnDiscussion>By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
-
-Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002165
-          CCI-002235
-          Configure OL 9 to enable DAC on symlinks with the following:
-
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
-
-fs.protected_symlinks = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000324-GPOS-00125
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002403
-          OL 9 debug-shell systemd service must be disabled.
-          <VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002235
-          Configure OL 9 to mask the debug-shell systemd service with the following command:
-
-$ sudo systemctl disable --now debug-shell.service
-$ sudo systemctl mask --now debug-shell.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000033-GPOS-00014
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002404
-          OL 9 IP tunnels must use 140-3 approved cryptographic algorithms.
-          <VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000068
-          Configure IPsec to use the systemwide cryptographic policy.
-
-Add the following line to "/etc/ipsec.conf":
-
-include /etc/crypto-policies/back-ends/libreswan.config
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000132-GPOS-00067
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002406
-          OL 9 must restrict access to the kernel message buffer.
-          <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
-
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
-
-There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
-
-Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
-
-Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001082
-          CCI-001090
-          Configure OL 9 to restrict access to the kernel message buffer.
-
-Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
-
-kernel.dmesg_restrict = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000132-GPOS-00067
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002407
-          OL 9 must prevent kernel profiling by nonprivileged users.
-          <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
-
-This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
-
-There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
-
-Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
-
-Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001082
-          CCI-001090
-          Configure OL 9 to prevent kernel profiling by nonprivileged users.
-
-Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
-
-kernel.perf_event_paranoid = 2
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000132-GPOS-00067
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002408
-          OL 9 must restrict exposed kernel pointer addresses access.
-          <VulnDiscussion>Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0".
-
-Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001082
-          CCI-002824
-          Configure OL 9 to prevent the leak of kernel pointers to unprivileged users.
-
-Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
-
-kernel.kptr_restrict = 1
-
-Reload settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000132-GPOS-00067
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002409
-          OL 9 must disable access to network bpf system call from nonprivileged processes.
-          <VulnDiscussion>Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001082
-          Configure OL 9 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
-
-kernel.unprivileged_bpf_disabled = 1
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000132-GPOS-00067
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002410
-          OL 9 must restrict usage of ptrace to descendant processes.
-          <VulnDiscussion>Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001082
-          Configure OL 9 to restrict usage of ptrace to descendant processes by adding the following line to "/etc/sysctl.d/99-sysctl.conf":
-
-kernel.yama.ptrace_scope = 1
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000163-GPOS-00072
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002411
-          OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
-          <VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
-
-Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001133
-          CCI-000057
-          Configure OL 9 to exit interactive command shell user sessions after 15 minutes of inactivity.
-
-Add or edit the following line in "/etc/profile.d/tmout.sh":
-
-#!/bin/bash
-
-declare -xr TMOUT=900
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000324-GPOS-00125
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002412
-          OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
-          <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002235
-          Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file:
-
-CtrlAltDelBurstAction=none
-
-Reload the daemon for this change to take effect.
-
-$ sudo systemctl daemon-reload
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000324-GPOS-00125
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002413
-          OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
-          <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002235
-          Configure OL 9 to disable the ctrl-alt-del.target with the following command:
-
-$ sudo systemctl disable --now ctrl-alt-del.target
-$ sudo systemctl mask --now ctrl-alt-del.target
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000027-GPOS-00008
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002415
-          OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
-          <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.
-
-This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000054
-          Configure OL 9 to limit the number of concurrent sessions to "10" for all accounts and/or account types.
-
-Add the following line to the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/:
-
-* hard maxlogins 10
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000329-GPOS-00128
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002416
-          OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
-          <VulnDiscussion>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002238
-          CCI-000044
-          Configure OL 9 to lock out the "root" account after a number of incorrect login attempts within 15 minutes using "pam_faillock.so" by enabling the feature using the following command:
- 
-$ sudo authselect enable-feature with-faillock  
-
-Then edit the "/etc/security/faillock.conf" file as follows:
-
-fail_interval = 900
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000329-GPOS-00128
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002417
-          OL 9 must maintain an account lock until the locked account is released by an administrator.
-          <VulnDiscussion>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002238
-          CCI-000044
-          Configure OL 9 to lock an account until released by an administrator after three unsuccessful logon attempts with the command:
- 
-$ sudo authselect enable-feature with-faillock  
-
-Then edit the "/etc/security/faillock.conf" file as follows:
-
-unlock_time = 0
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002419
-          OL 9 file systems must not contain shosts.equiv files.
-          <VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove any found "shosts.equiv" files from the system.
-
-$ sudo rm /[path]/[to]/[file]/shosts.equiv
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002420
-          OL 9 file systems must not contain .shosts files.
-          <VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Remove any found ".shosts" files from the system.
-
-$ sudo rm /[path]/[to]/[file]/.shosts
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000423-GPOS-00187
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002421
-          OL 9 must implement DOD-approved encryption in the bind package.
-          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 9 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
-
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-002418
-          CCI-002422
-          Configure BIND to use the system crypto policy.
-
-Add the following line to the "options" section in "/etc/named.conf":
-
-include "/etc/crypto-policies/back-ends/bind.config";
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000433-GPOS-00193
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002423
-          OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-          <VulnDiscussion>ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002824
-          Configure OL 9 to implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
-
-kernel.randomize_va_space = 2
-
-Reload settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000120-GPOS-00061
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002424
-          OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
-          <VulnDiscussion>Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000803
-          Configure Kerberos to use system crypto policy.
-
-Remove incorrect symlink if it exists using the following command:
-
-$ sudo rm /etc/crypto-policies/back-ends/krb5.config
-
-Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:
-
-$ sudo ln -s /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.config
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002425
-          OL 9 must be configured to prevent unrestricted mail relaying.
-          <VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Modify the postfix configuration file to restrict client connections to the local network with the following command:
-
-$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002427
-          OL 9 must be configured so that local initialization files do not execute world-writable programs.
-          <VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 so that local initialization files do not execute world-writable programs.
-
-Set the mode on files being executed by the local initialization files with the following command:
-
-$ sudo chmod 0755 <file>
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000366-GPOS-00153
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002428
-          OL 9 must prevent the loading of a new kernel for later execution.
-          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003992
-          Configure OL 9 to prevent the loading of a new kernel for later execution.
-
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
-
-kernel.kexec_load_disabled = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002430
-          OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
-          <VulnDiscussion>When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
-
-net.core.bpf_jit_harden = 2
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002502
-          OL 9 SSH private host key files must have mode 0640 or less permissive.
-          <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
-
-$ sudo chmod 0640 /etc/ssh/ssh_host*key
-
-Restart the SSH daemon for the changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002503
-          OL 9 SSH public host key files must have mode 0644 or less permissive.
-          <VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
-
-$ sudo chmod 0644 /etc/ssh/*key.pub
-
-Restart the SSH daemon for the changes to take effect:
-
-$ sudo systemctl restart sshd.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002504
-          OL 9 system commands must be group-owned by root or a system account.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system commands to be protected from unauthorized access.
-
-Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account.
-
-$ sudo chgrp root [FILE]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002505
-          OL 9 system commands must be owned by root.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system commands to be protected from unauthorized access.
-
-Run the following command, replacing "[FILE]" with any system command file not owned by "root".
-
-$ sudo chown root [FILE]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002506
-          OL 9 system commands must have mode 755 or less permissive.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system commands to be protected from unauthorized access.
-
-Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "755".
-
-$ sudo chmod 755 [FILE]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002507
-          OL 9 SSH server configuration file must be group-owned by root.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the "/etc/ssh/sshd_config" file to be group-owned by root with the following command:
-
-$ sudo chgrp root /etc/ssh/sshd_config
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002508
-          OL 9 SSH server configuration file must be owned by root.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the "/etc/ssh/sshd_config" file to be owned by root with the following command:
-
-$ sudo chown root /etc/ssh/sshd_config
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002509
-          OL 9 SSH server configuration file must have mode 0600 or less permissive.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the "/etc/ssh/sshd_config" permissions to be "0600" with the following command:
-
-$ sudo chmod 0600 /etc/ssh/sshd_config
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002513
-          OL 9 local initialization files must have mode 0740 or less permissive.
-          <VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Set the mode of the local initialization files to "0740" with the following command:
-
-Note: The example will be for the wadea user, who has a home directory of "/home/wadea".
-
-$ sudo chmod 0740 /home/wadea/.<INIT_FILE>
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002515
-          OL 9 local interactive user home directories must have mode 0750 or less permissive.
-          <VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
-
-Note: The example will be for the user "wadea".
-
-$ sudo chmod 0750 /home/wadea
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002520
-          OL 9 library directories must be group-owned by root or a system account.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
-
-Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root".
-
-$ sudo chgrp root [DIRECTORY]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002521
-          OL 9 library directories must be owned by root.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
-
-Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root".
-
-$ sudo chown root [DIRECTORY]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002522
-          OL 9 library directories must have mode 755 or less permissive.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. 
-
-Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755.
-
-$ sudo chmod 755 [DIRECTORY]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002523
-          OL 9 library files must be group owned by root or a system account.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the OL 9 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command:
-
-$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002524
-          OL 9 library files must be owned by root.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command:
-
-$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000259-GPOS-00100
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002525
-          OL 9 library files must have mode 0755 or less permissive.
-          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001499
-          Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to have mode 0755 or less permissive with the following command:
-
-$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002530
-          OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
-          <VulnDiscussion>The "root" group is a highly privileged group. The group-owner of this file should not have any access privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /boot/grub2/grub.cfg to root by running the following command:
-
-$ sudo chgrp root /boot/grub2/grub.cfg
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002531
-          OL 9 /boot/grub2/grub.cfg file must be owned by root.
-          <VulnDiscussion>The "/boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /boot/grub2/grub.cfg to root by running the following command:
-
-$ sudo chown root /boot/grub2/grub.cfg
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002532
-          OL 9 /etc/group file must be group-owned by root.
-          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/group to root by running the following command:
-
-$ sudo chgrp root /etc/group
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002533
-          OL 9 /etc/group- file must be group-owned by root.
-          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/group- to root by running the following command:
-
-$ sudo chgrp root /etc/group-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002534
-          OL 9 /etc/group file must be owned by root.
-          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/group to root by running the following command:
-
-$ sudo chown root /etc/group
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002535
-          OL 9 /etc/group- file must be owned by root.
-          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/group- to root by running the following command:
-
-$ sudo chown root /etc/group-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002536
-          OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/group" to "0644" by running the following command:
-
-$ sudo chmod 0644 /etc/group
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002537
-          OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/group-" to "0644" by running the following command:
-
-$ sudo chmod 0644 /etc/group-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002538
-          OL 9 /etc/gshadow file must be group-owned by root.
-          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/gshadow to root by running the following command:
-
-$ sudo chgrp root /etc/gshadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002539
-          OL 9 /etc/gshadow- file must be group-owned by root.
-          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/gshadow- to root by running the following command:
-
-$ sudo chgrp root /etc/gshadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002540
-          OL 9 /etc/gshadow file must be owned by root.
-          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/gshadow to root by running the following command:
-
-$ sudo chown root /etc/gshadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002541
-          OL 9 /etc/gshadow- file must be owned by root.
-          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/gshadow- to root by running the following command:
-
-$ sudo chown root /etc/gshadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002542
-          OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/gshadow" to "0000" by running the following command:
-
-$ sudo chmod 0000 /etc/gshadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002543
-          OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/gshadow-" to "0000" by running the following command:
-
-$ sudo chmod 0000 /etc/gshadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002544
-          OL 9 /etc/passwd file must be group-owned by root.
-          <VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/passwd to root by running the following command:
-
-$ sudo chgrp root /etc/passwd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002545
-          OL 9 /etc/passwd- file must be group-owned by root.
-          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/passwd- to root by running the following command:
-
-$ sudo chgrp root /etc/passwd-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002546
-          OL 9 /etc/passwd file must be owned by root.
-          <VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/passwd to root by running the following command:
-
-$ sudo chown root /etc/passwd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002547
-          OL 9 /etc/passwd- file must be owned by root.
-          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/passwd- to root by running the following command:
-
-$ sudo chown root /etc/passwd-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002548
-          OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/passwd" to "0644" by running the following command:
-
-$ sudo chmod 0644 /etc/passwd
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002549
-          OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/passwd-" to "0644" by running the following command:
-
-$ sudo chmod 0644 /etc/passwd-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002550
-          OL 9 /etc/shadow file must be group-owned by root.
-          <VulnDiscussion>The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/shadow to root by running the following command:
-
-$ sudo chgrp root /etc/shadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002551
-          OL 9 /etc/shadow- file must be group-owned by root.
-          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the group of the file /etc/shadow- to root by running the following command:
-
-$ sudo chgrp root /etc/shadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002552
-          OL 9 /etc/shadow file must be owned by root.
-          <VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/shadow to root by running the following command:
-
-$ sudo chown root /etc/shadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002553
-          OL 9 /etc/shadow- file must be owned by root.
-          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the owner of the file /etc/shadow- to root by running the following command:
-
-$ sudo chown root /etc/shadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002554
-          OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/shadow-" to "0000" by running the following command:
-
-$ sudo chmod 0000 /etc/shadow-
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002555
-          OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
-          <VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the mode of the file "/etc/shadow" to "0000" by running the following command:
-
-$ sudo chmod 0000 /etc/shadow
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002560
-          OL 9 /var/log directory must be group-owned by root.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Configure the group owner of the directory "/var/log" to "root" by running the following command:
-
-$ sudo chgrp root /var/log
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002561
-          OL 9 /var/log directory must be owned by root.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Configure the owner of the directory "/var/log" to "root" by running the following command:
-
-$ sudo chown root /var/log
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002562
-          OL 9 /var/log directory must have mode 0755 or less permissive.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Configure the "/var/log" directory to a mode of "0755" by running the following command:
-
-$ sudo chmod 0755 /var/log
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002563
-          OL 9 /var/log/messages file must be group-owned by root.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Change the group owner of the "/var/log/messages" file to "root" by running the following command:
-
-$ sudo chgrp root /var/log/messages
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002564
-          OL 9 /var/log/messages file must be owned by root.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Change the owner of the "/var/log/messages" file to "root" by running the following command:
-
-$ sudo chown root /var/log/messages
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000206-GPOS-00084
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002565
-          OL 9 /var/log/messages file must have mode 0640 or less permissive.
-          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001314
-          Configure the "/var/log/messages" file to have a mode of "0640" by running the following command:
-
-$ sudo chmod 0640 /var/log/messages
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000256-GPOS-00097
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002570
-          OL 9 audit tools must be group-owned by root.
-          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001493
-          Configure the audit tools to be group-owned by "root" by running the following command:
-
-$ sudo chgrp root [audit_tool]
-
-Replace "[audit_tool]" with each audit tool not group-owned by "root".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000256-GPOS-00097
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002571
-          OL 9 audit tools must be owned by root.
-          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001493
-          Configure the audit tools to be owned by "root" by running the following command:
-
-$ sudo chown root [audit_tool]
-
-Replace "[audit_tool]" with each audit tool not owned by "root".
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000256-GPOS-00097
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002572
-          OL 9 audit tools must have a mode of 0755 or less permissive.
-          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001493
-          Configure the audit tools to have a mode of "0755" by running the following command:
-
-$ sudo chmod 0755 [audit_tool]
-
-Replace "[audit_tool]" with each audit tool that has a more permissive mode than 0755.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002580
-          OL 9 cron configuration directories must have a mode of 0700 or less permissive.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure any OL 9 cron configuration directory with a mode more permissive than "0700" as follows:
-
-$ sudo chmod 0700 [cron configuration directory]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002581
-          OL 9 cron configuration files directory must be group-owned by root.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure any cron configuration not group-owned by root with the following command:
-
-$ sudo chgrp root [cron config file]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002582
-          OL 9 cron configuration files directory must be owned by root.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure any cron configuration not owned by root with the following command:
-
-$ sudo chown root [cron config file]
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002583
-          OL 9 /etc/crontab file must have mode 0600.
-          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the OL 9 file /etc/crontab with mode 600.
-
-$ sudo chmod 0600 /etc/crontab
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003000
-          OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
-          <VulnDiscussion>An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Change the UID of any account on the system, other than root, that has a UID of "0". 
-
-If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000104-GPOS-00051
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003001
-          OL 9 duplicate User IDs (UIDs) must not exist for interactive users.
-          <VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
-
-Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000764
-          CCI-000804
-          CCI-000135
-          Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003002
-          OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
-          <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Create and assign home directories to all local interactive users on OL 9 that currently do not have a home directory assigned.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000104-GPOS-00051
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003005
-          OL 9 interactive users must have a primary group that exists.
-          <VulnDiscussion>If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000764
-          Configure the system so that all GIDs are referenced in "/etc/passwd" are defined in "/etc/group".
-
-Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000104-GPOS-00051
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003006
-          OL 9 groups must have unique Group ID (GID).
-          <VulnDiscussion>To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000764
-          Edit the file "/etc/group" and provide each group that has a duplicate GID with a unique GID.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000021-GPOS-00005
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003010
-          OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
-          <VulnDiscussion>Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000044
-          Configure OL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.
-
-Create a nondefault faillock tally directory (if it does not already exist) with the following example:
-
-$ sudo mkdir /var/log/faillock
-
-Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:
-
-$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"
-
-Update the context type of the nondefault faillock directory/subdirectories and files with the following command:
-
-$ sudo restorecon -R -v /var/log/faillock
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000329-GPOS-00128
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003020
-          OL 9 must automatically lock an account when three unsuccessful logon attempts occur.
-          <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-
-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002238
-          CCI-000044
-          Configure OL 9 to lock an account when three unsuccessful logon attempts occur.
-
-Add/modify the "/etc/security/faillock.conf" file to match the following line:
-
-deny = 3
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000329-GPOS-00128
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003021
-          OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-          <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002238
-          CCI-000044
-          Configure OL 9 to lock out the "root" account after a number of incorrect login attempts using "pam_faillock.so", first enable the feature using the following command:
- 
-$ sudo authselect enable-feature with-faillock  
-
-Then edit the "/etc/security/faillock.conf" file as follows:
- 
-  add or uncomment the following line:
- even_deny_root
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000021-GPOS-00005
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003022
-          OL 9 must log username information when unsuccessful logon attempts occur.
-          <VulnDiscussion>Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000044
-          Configure OL 9 to log username information when unsuccessful logon attempts occur.
-
-Add/modify the "/etc/security/faillock.conf" file to match the following line:
-
-audit
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000021-GPOS-00005
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003023
-          OL 9 must ensure account lockouts persist.
-          <VulnDiscussion>Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000044
-          Configure OL 9 maintain the contents of the faillock directory after a reboot.
-
-Add/modify the "/etc/security/faillock.conf" file to match the following line:
-
-dir = /var/log/faillock
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003051
-          OL 9 system accounts must not have an interactive login shell.
-          <VulnDiscussion>Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.
-
-If the system account needs a shell assigned for mission operations, document the need with the ISSO.
-
-Run the following command to disable the interactive shell for a specific noninteractive user account:
-
-Replace <user> with the user that has a login shell.
-
-$ sudo usermod --shell /sbin/nologin <user>
-
-Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003052
-          OL 9 local interactive user accounts must be assigned a home directory upon creation.
-          <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
-
-CREATE_HOME yes
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000118-GPOS-00060
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003065
-          OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
-          <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
-
-Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
-
-Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
-
-Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-003627
-          CCI-003628
-          Configure OL 9 to disable account identifiers after 35 days of inactivity after the password expiration. 
-
-Run the following command to change the configuration for useradd:
-
-$ sudo useradd -D -f 35
-
-The recommendation is 35 days, but a lower value is acceptable.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00226
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-003070
-          OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
-          <VulnDiscussion>Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the OL 9 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
-
-Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to 4 or greater:
-
-FAIL_DELAY 4
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000032-GPOS-00013
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005000
-          OL 9 remote access methods must be monitored.
-          <VulnDiscussion>Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000067
-          Configure OL 9 remote access methods to be monitored.
-
-Add or update the following lines to the "/etc/rsyslog.conf" file:
-
-auth.*;authpriv.*;daemon.* /var/log/secure
-
-The "rsyslog" service must be restarted for the changes to take effect with the following command:
-
-$ sudo systemctl restart rsyslog.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000479-GPOS-00224
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005005
-          OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
-          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-Offloading is a common process in information systems with limited audit storage capacity.
-
-OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.
-
-Examples of each configuration:
-UDP *.* @remotesystemname
-TCP *.* @@remotesystemname
-RELP *.* :omrelp:remotesystemname:2514
-Note that a port number was given as there is no standard port for RELP.
-
-Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to offload audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf"" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server.
-
-*.* @@[remoteloggingserver]:[port]"
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005015
-          OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
-          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-Offloading is a common process in information systems with limited audit storage capacity.
-
-OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-"Rsyslog" supported authentication modes include:
-anon - anonymous authentication
-x509/fingerprint - certificate fingerprint authentication
-x509/certvalid - certificate validation only
-x509/name - certificate validation and subject name authentication
-
-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
-
-$ActionSendStreamDriverAuthMode x509/name
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005020
-          OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-Offloading is a common process in information systems with limited audit storage capacity.
-
-OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-"Rsyslog" supported authentication modes include:
-anon - anonymous authentication
-x509/fingerprint - certificate fingerprint authentication
-x509/certvalid - certificate validation only
-x509/name - certificate validation and subject name authentication
-
-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to encrypt offloaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
-
-$ActionSendStreamDriverMode 1
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000342-GPOS-00133
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005025
-          OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-Offloading is a common process in information systems with limited audit storage capacity.
-
-OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-001851
-          Configure OL 9 to use the gtls driver to encrypt offloaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
-
-$DefaultNetstreamDriver gtls
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-005030
-          OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
-          <VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
-
-If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not receive remote logs using rsyslog.
-
-Remove the lines in /etc/rsyslog.conf and any files in the /etc/rsyslog.d directory that match any of the following:
-
-$ModLoad imtcp
-$ModLoad imudp
-$ModLoad imrelp
-$InputTCPServerRun [0-9]*
-$UDPServerRun [0-9]*
-$InputRELPServerRun [0-9]*
-
-The rsyslog daemon must be restarted for the changes to take effect:
-
-$ sudo systemctl restart rsyslog.service
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000420-GPOS-00186
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006000
-          OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
-          <VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
-
-This requirement addresses the configuration of OL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002385
-          Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf":
-
-FirewallBackend=nftables
-
-Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006002
-          OL 9 must configure a DNS processing mode set be Network Manager.
-          <VulnDiscussion>To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure NetworkManager in OL 9 to use a DNS mode.
-
-In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
-
-dns = none
-
-NetworkManager must be reloaded for the change to take effect.
-
-$ sudo systemctl reload NetworkManager
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006003
-          OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
-          <VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure the operating system to use two or more name servers for DNS resolution based on the DNS mode of the system.
-
-If the NetworkManager DNS mode is set to "none", then add the following lines to "/etc/resolv.conf":
-
-nameserver [name server 1]
-nameserver [name server 2]
-
-Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers.
-
-If the NetworkManager DNS mode is set to "default" then add two DNS servers to a NetworkManager connection. Using the following commands:
-
-$ sudo nmcli connection modify [connection name] ipv4.dns [name server 1]
-$ sudo nmcli connection modify [connection name] ipv4.dns [name server 2]
-
-Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace ipv4 with ipv6 if IPv6 DNS servers are used.
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006004
-          OL 9 network interfaces must not be in promiscuous mode.
-          <VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.
-
-If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
-
-Set the promiscuous mode of an interface to off with the following command:
-
-$ sudo ip link set dev <devicename> multicast off promisc off
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006020
-          OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
-          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to ignore IPv4 ICMP redirect messages.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.accept_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006021
-          OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
-          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
-
-Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to ignore IPv4 source-routed packets.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.accept_source_route = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006022
-          OL 9 must log IPv4 packets with impossible addresses.
-          <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to log martian packets on IPv4 interfaces.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.log_martians=1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006023
-          OL 9 must log IPv4 packets with impossible addresses by default.
-          <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to log martian packets on IPv4 interfaces by default.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.default.log_martians=1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006024
-          OL 9 must use reverse path filtering on all IPv4 interfaces.
-          <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to use reverse path filtering on all IPv4 interfaces. 
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.rp_filter = 1
-
-The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006025
-          OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to prevent IPv4 ICMP redirect messages from being accepted.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.default.accept_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006026
-          OL 9 must not forward IPv4 source-routed packets by default.
-          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
-
-Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not forward IPv4 source-routed packets by default.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.default.accept_source_route = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006027
-          OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
-          <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to use reverse path filtering on IPv4 interfaces by default.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.default.rp_filter = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006028
-          OL 9 must not enable IPv4 packet forwarding unless the system is a router.
-          <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not allow IPv4 packet forwarding unless the system is a router.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.forwarding = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006030
-          OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
-          <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
-
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006031
-          OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
-          <VulnDiscussion>Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not log bogus ICMP errors: 
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006032
-          OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
-          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
-
-The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.all.send_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006033
-          OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
-          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
-
-The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000366
-          Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects by default.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv4.conf.default.send_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006040
-          OL 9 must not accept router advertisements on all IPv6 interfaces.
-          <VulnDiscussion>An illicit router advertisement message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.all.accept_ra = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006041
-          OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-          <VulnDiscussion>An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to ignore IPv6 ICMP redirect messages.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.all.accept_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006042
-          OL 9 must not forward IPv6 source-routed packets.
-          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to not forward IPv6 source-routed packets.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.all.accept_source_route = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006043
-          OL 9 must not enable IPv6 packet forwarding unless the system is a router.
-          <VulnDiscussion>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to not allow IPv6 packet forwarding unless the system is a router.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.all.forwarding = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006044
-          OL 9 must not accept router advertisements on all IPv6 interfaces by default.
-          <VulnDiscussion>An illicit router advertisement message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.default.accept_ra = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006045
-          OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to prevent IPv6 ICMP redirect messages from being accepted.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.default.accept_redirects = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000480-GPOS-00227
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006046
-          OL 9 must not forward IPv6 source-routed packets by default.
-          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          
-          CCI-000366
-          Configure OL 9 to not forward IPv6 source-routed packets by default.
-
-Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
-
-net.ipv6.conf.default.accept_source_route = 0
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000420-GPOS-00186
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-006050
-          OL 9 must be configured to use TCP syncookies.
-          <VulnDiscussion>Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 
-
-Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
-
-Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-002385
-          CCI-001095
-          Configure OL 9 to use TCP syncookies.
-
-Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
-
- net.ipv4.tcp_syncookies = 1
-
-Load settings from all system configuration files with the following command:
-
-$ sudo sysctl --system
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000462-GPOS-00206
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-008000
-          OL 9 audit system must protect logon UIDs from unauthorized change.
-          <VulnDiscussion>If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
-
-Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000172
-          CCI-000162
-          CCI-000163
-          CCI-000164
-          Configure OL 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:
-
---loginuid-immutable
-
-The audit daemon must be restarted for the changes to take effect.
-
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000057-GPOS-00027
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-008005
-          OL 9 audit system must protect auditing rules from unauthorized change.
-          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 9 system activity.
-
-In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable, and a system administrator could then investigate the unauthorized changes.
-
-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000162
-          CCI-000163
-          CCI-000164
-          Configure the audit system to set the audit rules to be immutable by adding the following line to end of "/etc/audit/rules.d/audit.rules"
-
--e 2
-
-The audit daemon must be restarted for the changes to take effect.
-
-$ sudo service auditd restart
-          
-          
-            
-          
-        
-      
-      
-        SRG-OS-000037-GPOS-00015
-        <GroupDescription></GroupDescription>
-        
-          OL09-00-002584
-          OL 9 must audit any script or executable called by cron as root or by any privileged user.
-          <VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 0755 or more restrictive, and should have no extended rights that allow any nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-          
-            DPMS Target Oracle Linux 9
-            DISA
-            DPMS Target
-            Oracle Linux 9
-            5680
-          
-          CCI-000130
-          CCI-000135
-          CCI-000169
-          CCI-000172
-          CCI-002884
-          Configure OL 9 to audit the execution of any system call made by cron as root or as any privileged user.
-
-Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
-
-auditctl -w /etc/cron.d/ -p wa -k cronjobs
-auditctl -w /var/spool/cron/ -p wa -k cronjobs
-
-To load the rules to the kernel immediately, use the following command:
-
-$ sudo augenrules --load
-          
-          
-            
-          
-        
-      
-    
-  
-  
-    
-      
-        Security Content Tool 1.6.0
-        5.11
-        2025-10-14T01:53:34
-      
-      
-        
-          
-            The operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system shadow password suite must be configured to use a sufficient number of hashing rounds.
-            
-          
-          
-            
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use a Linux Security Module configured to enforce limits on system services.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must have policycoreutils package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log/messages file must have mode 0640 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log/messages file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log/messages file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log directory must have mode 0755 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log directory must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /var/log directory must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system library files must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system library files must be group-owned by root or a system account.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent the loading of a new kernel for later execution.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must restrict access to the kernel message buffer.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent kernel profiling by unprivileged users.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must require users to provide a password for privilege escalation.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must have the packages required for multifactor authentication installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must clear the page allocator to prevent use-after-free attacks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable virtual syscalls.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            YUM must remove all software components after updated versions have been installed on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable the SELinux targeted policy.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            There must be no shosts.equiv files on the operating system operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            There must be no .shosts files on the operating system operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH public host key files must have mode 0644 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH private host key files must have mode 0640 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must perform strict mode checking of home directory configuration files.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use a separate file system for /var.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must use a separate file system for the system audit data path.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            A separate the operating system filesystem must be used for the /tmp directory.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not permit direct logons to the root account using remote access via SSH.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent special devices on non-root local partitions.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent code from being executed on file systems that are imported via Network File System (NFS).
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent special devices on file systems that are imported via Network File System (NFS).
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must disable kernel dumps unless needed.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must disable the kernel.core_pattern.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable acquiring, saving, and processing core dumps.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable core dumps for all users.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable storing core dumps.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must disable core dump backtraces.
-            
-          
-          
-            
-          
-        
-        
-          
-            For Systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
-            
-          
-          
-            
-            
-              
-              
-              
-            
-          
-        
-        
-          
-            All the operating system local interactive user accounts must be assigned a home directory upon creation.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system local initialization files must have mode 0740 or less permissive.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            A separate operating system filesystem must be used for user home directories (such as /home or an equivalent).
-            
-          
-          
-            
-          
-        
-        
-          
-            Unattended or automatic logon via the operating system graphical user interface must not be allowed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must automatically lock an account when three unsuccessful logon attempts occur.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must ensure account lockouts persist
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must log user name information when unsuccessful logon attempts occur.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must ensure the password complexity module is enabled in the password-auth file.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enforce password complexity by requiring that at least one uppercase character be used.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enforce password complexity by requiring that at least one lower-case character be used.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enforce password complexity by requiring that at least one numeric character be used.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require the maximum number of repeating characters be limited to three when passwords are changed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require the change of at least four character classes when passwords are changed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require the change of at least 8 characters when passwords are changed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system passwords must have a minimum of 15 characters.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system passwords must contain at least one special character.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prohibit the use of cached authentications after one day.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent the use of dictionary words for passwords.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            The operating system System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system System must take appropriate action when an audit processing failure occurs.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must take appropriate action when the audit storage volume is full.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must audit local events.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must label all off-loaded audit logs before sending them to the central log server.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must resolve audit information before writing to disk.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit logs must be group-owned by root to prevent unauthorized read access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit log directory must be owned by root to prevent unauthorized read access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must protect auditing rules from unauthorized change.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must protect logon UIDs from unauthorized change.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit package must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the su command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
-            
-          
-          
-            
-            
-            
-            
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chage command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chcon command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the ssh-agent in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the passwd command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the mount command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the umount command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the unix_update in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of postdrop in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of postqueue in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of semanage in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of setfiles in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of userhelper in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of setsebool in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of unix_chkpwd in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the ssh-keysign in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the setfacl command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the pam_timestamp_check command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the newgrp command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the init_module and finit_module system calls in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the gpasswd command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the delete_module command in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the crontab command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chsh command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the sudo command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the usermod command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the chacl command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the kmod command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful modifications to the lastlog file in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable auditing of processes that start prior to the audit daemon.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must enable Linux audit logging for the USBGuard daemon.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system audit tools must have a mode of 0755 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit tools must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit tools must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
-            
-          
-          
-            
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            The operating system must have the packages required for offloading audit logs installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the packages required for encrypting offloaded audit logs installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must take appropriate action when the internal event queue is full.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the chrony daemon from acting as a server.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must disable network management of the chrony daemon.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not have the telnet-server package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not have the sendmail package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable mitigations against processor-based vulnerabilities.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the transparent inter-process communication (TIPC) protocol.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable mounting of cramfs.
-            
-          
-          
-            
-              
-              
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system file system automounter must be disabled unless required.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must be configured to disable USB mass storage.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            A firewall must be installed on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system Bluetooth must be disabled.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /dev/shm with the nodev option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /dev/shm with the nosuid option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /dev/shm with the noexec option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /tmp with the nodev option.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must mount /tmp with the nosuid option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log with the nodev option.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log with the nosuid option.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log with the noexec option.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log/audit with the nodev option.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log/audit with the nosuid option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/log/audit with the noexec option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/tmp with the nodev option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/tmp with the nosuid option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must mount /var/tmp with the noexec option.
-            
-          
-          
-            
-          
-        
-        
-          
-            A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system can implement rate-limiting measures on impacted network interfaces.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must force a frequent session key renegotiation for SSH connections to the server.
-            
-          
-          
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The x86 Ctrl-Alt-Delete key sequence must be disabled on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The systemd Ctrl-Alt-Delete burst key sequence in the operating system must be disabled.
-            
-          
-          
-            
-          
-        
-        
-          
-            The debug-shell systemd service must be disabled on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for the operating system operational support.
-            
-          
-          
-            
-          
-        
-        
-          
-            The root account must be the only account having unrestricted access to the operating system system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not forward IPv6 source-routed packets by default.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable access to network bpf syscall from unprivileged processes.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must restrict usage of ptrace to descendant  processes.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the use of user namespaces.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must be configured to prevent unrestricted mail relaying.
-            
-          
-          
-            
-          
-        
-        
-          
-            The graphical display manager must not be installed on the operating system unless approved.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system network interfaces must not be in promiscuous mode.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
-            
-          
-          
-            
-          
-        
-        
-          
-            The iprutils package must not be installed unless mission essential on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The tuned package must not be installed unless mission essential on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system operating system must log SSH connection attempts and failures to the server.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use the invoking user's password for privilege escalation when using "sudo".
-            
-          
-          
-            
-              
-              
-              
-            
-            
-              
-              
-              
-              
-            
-          
-        
-        
-          
-            The operating system must require re-authentication when using the "sudo" command.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must generate audit records for the use and modification of the tallylog file.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must display a banner before granting local or remote access to the system via a graphical user logon.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system operating systems must require authentication upon booting into emergency mode.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must be configured to use system-wide crypto policies.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the packages required to use the hardware random number generator entropy gatherer service.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
-            
-          
-          
-            
-              
-              
-            
-            
-          
-        
-        
-          
-            The operating system must use a separate file system for /var/tmp.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must not allow blank or null passwords in the system-auth file.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not allow blank or null passwords in the password-auth file.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system fapolicy module must be enabled.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system networked systems must have openssh-server package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "rmdir" command in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system operating system must not have accounts configured with blank or null passwords.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must ensure the password complexity module is enabled in the system-auth file.
-            
-          
-          
-            
-          
-        
-        
-          
-            Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
-            
-          
-          
-            
-          
-        
-        
-          
-            The graphical display manager must not be the default target on the operating system unless approved.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "rename" command in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "renameat" command in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "unlink" command in the operating system must generate an audit record
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "unlinkat" command in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system audit system must be configured to audit any usage of the "fsetxattr" system call.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            The operating system audit system must be configured to audit any usage of the "lsetxattr" system call.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the fremovexattr system call in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "lremovexattr" system call in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the "removexattr" system call in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-            
-            
-          
-        
-        
-          
-            The operating system must enable the hardware random number generator entropy gatherer service.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system systemd-journald service must be enabled.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require a boot loader superuser password.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the ability of systemd to spawn an interactive boot process.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system /boot/grub2/grub.cfg file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /boot/grub2/grub.cfg file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must restrict exposed kernel pointer addresses access.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must enable kernel parameters to enforce discretionary access control on symlinks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the asynchronous transfer mode (ATM) protocol.
-            
-          
-          
-            
-              
-              
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system must disable the controller area network (CAN) protocol.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must disable IEEE 1394 (FireWire) Support.
-            
-          
-          
-            
-              
-              
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system must disable the stream control transmission protocol (SCTP).
-            
-          
-          
-            
-              
-              
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system must check the GPG signature of software packages originating from external software repositories before installation.
-            
-          
-          
-            
-          
-        
-        
-          
-            A File Transfer Protocol (FTP) server package must not be installed unless mission essential on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not have the nfs-utils package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The gssproxy package must not be installed unless mission essential on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not have the quagga package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the gnutls-utils package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the nss-tools package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the s-nail package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use a separate file system for /var/log.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent device files from being interpreted on file systems that contain user home directories.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent code from being executed on file systems that contain user home directories.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must mount /boot with the nodev option.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must mount /tmp with the noexec option.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must mount /var with the nodev option.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system cron configuration directories must have a mode of 0700 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system local interactive user home directories must have mode 0750 or less permissive.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group- file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/group- file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow- file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/gshadow- file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd- file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/passwd- file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow- file must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow- file must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system cron configuration files directory must be owned by root.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system cron configuration files directory must be group-owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/crontab file must have mode 0600.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/shadow file must have mode 0000 to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            A firewall must be active on the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the chrony package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system chronyd service must be enabled.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must configure a DNS processing mode set be Network Manager.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system libreswan package must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the openssh-clients package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system SSHD must accept public key authentication.
-            
-          
-          
-            
-              
-              
-            
-            
-          
-        
-        
-          
-            The operating system SSHD must not allow blank passwords.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable the Pluggable Authentication Module (PAM) interface for SSHD.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
-            
-          
-          
-            
-              
-              
-                
-                
-              
-            
-            
-          
-        
-        
-          
-            The operating system must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not allow a noncertificate trusted host SSH logon to the system.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must be configured with a timeout interval.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH server configuration file must be group-owned by root.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system SSH server configuration file must be owned by root.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system SSH server configuration file must have mode 0600 or less permissive.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
-            
-          
-          
-            
-              
-              
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system SSH daemon must not allow rhosts authentication.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH daemon must not allow authentication using known host's authentication.
-            
-          
-          
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system must display the date and time of the last successful account logon upon an SSH logon.
-            
-          
-          
-            
-              
-              
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the graphical user interface automount function unless required.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the disabling of the graphical user interface automount function.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the disabling of the graphical user interface autorun function.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the disabling of the graphical user smart card removal action.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the session lock-delay setting for the graphical user interface.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must disable the ability of a user to restart the system from the login screen.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the USBGuard installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the USBGuard package enabled.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system duplicate User IDs (UIDs) must not exist for interactive users.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system system accounts must not have an interactive login shell.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system interactive users must have a primary group that exists.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system local interactive users must have a home directory assigned in the /etc/passwd file.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system groups must have unique Group ID (GID).
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must define default permissions for the bash shell.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must define default permissions for the c shell.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must define default permissions for the system default profile.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must configure SELinux context type to allow the use of a nondefault faillock tally directory.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system policycoreutils-python-utils package must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the sudo package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must require users to reauthenticate for privilege escalation.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must restrict privilege elevation to authorized personnel.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must restrict the use of the "su" command.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system fapolicy module must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system password-auth must be configured to use a sufficient number of hashing rounds.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system system-auth must be configured to use a sufficient number of hashing rounds.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enforce password complexity rules for the root account.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system operating system must not be configured to bypass password requirements for privilege escalation.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use the CAC smart card driver.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable certificate based smart card authentication.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must implement certificate status checking for multifactor authentication.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the pcsc-lite package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The pcscd service on the operating system must be active.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the opensc package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system operating systems must require authentication upon booting into rescue mode.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system operating system must use a file integrity tool to verify correct operation of all security functions.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The rsyslog service must be running in the operating system.
-            
-          
-          
-            
-          
-        
-        
-          
-            All the operating system remote access methods must be monitored.
-            
-          
-          
-            
-            
-            
-          
-        
-        
-          
-            The operating system must be configured to offload audit records onto a different system from the system being audited via syslog.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit records must be off-loaded onto a different system or storage media from the system being audited.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system audit service must be enabled.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audit system must take appropriate action when the audit files have reached maximum size.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must periodically flush audit records to disk to prevent the loss of audit records.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must write audit records to disk.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system audispd-plugins package must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the init command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the poweroff command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the reboot command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the shutdown command in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the umount system call in the operating system must generate an audit record.
-            
-          
-          
-            
-          
-        
-        
-          
-            Successful/unsuccessful uses of the umount2 system call in the operating system must generate an audit record.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must take appropriate action when a critical audit processing failure occurs.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must enable FIPS mode.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
-            
-          
-          
-            
-            
-              
-              
-            
-          
-        
-        
-          
-            The operating system must have the crypto-policies package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must implement DOD-approved encryption in the bind package.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system library directories must have mode 0755 or less permissive.
-            
-          
-          
-            
-            
-            
-            
-            
-          
-        
-        
-          
-            The operating system SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must be a vendor supported release.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must have the SSSD package installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use the SSSD package for multifactor authentication services.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system oracle-linux-manager package must be installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not allow users to override SSH environment variables.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must clear SLUB/SLAB objects to prevent use-after-free attacks.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
-            
-          
-          
-            
-          
-        
-        
-          
-            Local the operating system initialization files must not execute world-writable programs.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system system commands must be group-owned by root or a system account.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system system commands must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system system commands must have mode 755 or less permissive.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system library directories must be group-owned by root or a system account.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system library directories must be owned by root.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system library directories must have mode 755 or less permissive.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The operating system must authenticate the remote logging server for offloading audit logs via rsyslog.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not forward IPv4 source-routed packets.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must log IPv4 packets with impossible addresses.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must log IPv4 packets with impossible addresses by default.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use reverse path filtering on all IPv4 interfaces.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not forward IPv4 source-routed packets by default.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must use a reverse-path filter for IPv4 network traffic, when possible, by default.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not enable IPv4 packet forwarding unless the system is a router.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not send Internet Control Message Protocol (ICMP) redirects.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not accept router advertisements on all IPv6 interfaces.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not forward IPv6 source-routed packets.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not enable IPv6 packet forwarding unless the system is a router.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must not accept router advertisements on all IPv6 interfaces by default.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must be configured to use TCP syncookies.
-            
-          
-          
-            
-          
-        
-        
-          
-            The operating system must audit any script or executable called by cron as root or by any privileged user.
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            The autofs package is installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The system has nfs entries in /etc/fstab
-            
-          
-          
-            
-          
-        
-        
-          
-            The postifx package is installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The Trivial File Transfer Protocol (TFTP) server package is installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The libreswan package is installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            The system has BIND installed.
-            
-          
-          
-            
-          
-        
-        
-          
-            Gnome is installed
-            
-              Linux Systems
-            
-            
-          
-          
-            
-            
-          
-        
-        
-          
-            Linux United Extensible Firmware Interface (UEFI)
-            
-              Linux Systems
-            
-            
-          
-          
-            
-          
-        
-        
-          
-            IPv6 is disabled in the kernel.
-            
-              Linux Systems
-            
-            IPv6 is disabled in the kernel, either via a kernel cmdline option or sysctl.
-          
-          
-            
-              
-              
-            
-            
-          
-        
-        
-          
-            OL09-00-000002 - OL 9 must use a separate file system for the system audit data path.
-            
-              Oracle Linux 9
-            
-            Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000003 - OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
-            
-              Oracle Linux 9
-            
-            Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000004 - OL 9 must use a separate file system for /tmp.
-            
-              Oracle Linux 9
-            
-            The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000005 - OL 9 must use a separate file system for /var.
-            
-              Oracle Linux 9
-            
-            Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000006 - OL 9 must use a separate file system for /var/log.
-            
-              Oracle Linux 9
-            
-            Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000007 - OL 9 must use a separate file system for /var/tmp.
-            
-              Oracle Linux 9
-            
-            The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000010 - OL 9 must be a vendor supported release.
-            
-              Oracle Linux 9
-            
-            An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
-
-	Oracle offers Oracle Linux Premier Support, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000020 - OL 9 must be configured so that the graphical display manager is not the default target unless approved.
-            
-              Oracle Linux 9
-            
-            Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000025 - OL 9 must require authentication to access emergency mode.
-            
-              Oracle Linux 9
-            
-            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-	This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000030 - OL 9 must require authentication to access single-user mode.
-            
-              Oracle Linux 9
-            
-            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-	This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000040 - OL 9 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module.
-            
-              Oracle Linux 9
-            
-            Disabling ATM protects the system against exploitation of any flaws in its implementation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000041 - OL 9 must be configured to disable the Controller Area Network (CAN) kernel module.
-            
-              Oracle Linux 9
-            
-            Disabling CAN protects the system against exploitation of any flaws in its implementation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000042 - OL 9 must be configured to disable the FireWire kernel module.
-            
-              Oracle Linux 9
-            
-            Disabling firewire protects the system against exploitation of any flaws in its implementation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000043 - OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Failing to disconnect unused protocols can result in a system compromise.
-
-	The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000044 - OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Failing to disconnect unused protocols can result in a system compromise.
-
-	The TIPC is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free, and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000045 - OL 9 must disable mounting of cramfs.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Removing support for unneeded filesystem types reduces the local attack surface of the server.
-
-	Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000046 - OL 9 Bluetooth must be disabled.
-            
-              Oracle Linux 9
-            
-            This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
-
-	Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000047 - OL 9 must be configured to disable USB mass storage.
-            
-              Oracle Linux 9
-            
-            USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
-
-	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000060 - OL 9 must use a Linux Security Module configured to enforce limits on system services.
-            
-              Oracle Linux 9
-            
-            Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-	This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
-
-	Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000065 - OL 9 must enable the SELinux targeted policy.
-            
-              Oracle Linux 9
-            
-            Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
-
-	Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000070 - OL 9 must enable FIPS mode.
-            
-              Oracle Linux 9
-            
-            Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
-
-	Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000100 - OL 9 must not have the nfs-utils package installed.
-            
-              Oracle Linux 9
-            
-            "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000110 - OL 9 must not have the telnet-server package installed.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
-
-	The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
-
-	Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000115 - OL 9 must not have the gssproxy package installed.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-	The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000120 - OL 9 must not have the iprutils package installed.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-	The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000125 - OL 9 must not have the tuned package installed.
-            
-              Oracle Linux 9
-            
-            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-
-	The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000130 - OL 9 must not have a File Transfer Protocol (FTP) server package installed.
-            
-              Oracle Linux 9
-            
-            The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
-
-	Removing the "vsftpd" package decreases the risk of accidental activation.
-
-	Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000135 - OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
-            
-              Oracle Linux 9
-            
-            Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
-
-	If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000140 - OL 9 must not have the quagga package installed.
-            
-              Oracle Linux 9
-            
-            Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms.
-
-	If there is no need to make the router software available, removing it provides a safeguard against its activation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000145 - OL 9 must not have a graphical display manager installed unless approved.
-            
-              Oracle Linux 9
-            
-            Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000150 - OL 9 must not have the sendmail package installed.
-            
-              Oracle Linux 9
-            
-            The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000200 - OL 9 must have policycoreutils package installed.
-            
-              Oracle Linux 9
-            
-            Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-	Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000210 - OL 9 policycoreutils-python-utils package must be installed.
-            
-              Oracle Linux 9
-            
-            The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000220 - OL 9 must have the firewalld package installed.
-            
-              Oracle Linux 9
-            
-            Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-	Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	OL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
-
-	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000221 - OL 9 must be configured so that the firewalld service is active.
-            
-              Oracle Linux 9
-            
-            Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-	Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	OL 9 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
-
-	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000230 - OL 9 must have the sudo package installed.
-            
-              Oracle Linux 9
-            
-            sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to complete their work.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000231 - OL 9 must use the invoking user's password for privilege escalation when using sudo.
-            
-              Oracle Linux 9
-            
-            If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000232 - OL 9 must restrict privilege elevation to authorized personnel.
-            
-              Oracle Linux 9
-            
-            If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000240 - OL 9 must have the crypto-policies package installed.
-            
-              Oracle Linux 9
-            
-            Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
-
-	Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000250 - OL 9 networked systems must have SSH installed.
-            
-              Oracle Linux 9
-            
-            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000251 - OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
-            
-              Oracle Linux 9
-            
-            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000252 - The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000254 - OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000255 - OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000256 - OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
-            
-              Oracle Linux 9
-            
-            The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
-
-	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000260 - OL 9 must have the openssh-clients package installed.
-            
-              Oracle Linux 9
-            
-            This package includes utilities to make encrypted connections and transfer files securely to SSH servers.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000261 - OL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000262 - OL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000270 - OL 9 must have the openssl-pkcs11 package installed.
-            
-              Oracle Linux 9
-            
-            Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
-
-	Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000285 - OL 9 must have the SSSD package installed.
-            
-              Oracle Linux 9
-            
-            Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
-	 
-	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
-	 
-	A privileged account is defined as an information system account with authorizations of a privileged user. 
-	 
-	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. 
-	 
-	This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
-
-	Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000286 - OL 9 must use the SSSD package for multifactor authentication services.
-            
-              Oracle Linux 9
-            
-            Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
-	 
-	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
-	 
-	A privileged account is defined as an information system account with authorizations of a privileged user. 
-	 
-	Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. 
-	 
-	Multifactor authentication requires using two or more factors to achieve authentication. 
-	 
-	Factors include:  
-	1) Something a user knows (e.g., password/PIN); 
-	2) Something a user has (e.g., cryptographic identification device, token); and 
-	3) Something a user is (e.g., biometric). 
-	 
-	A privileged account is defined as an information system account with authorizations of a privileged user. 
-	 
-	Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). 
-	 
-	The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.
-
-	Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00161
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000290 - OL 9 must have the s-nail package installed.
-            
-              Oracle Linux 9
-            
-            The s-nail package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000300 - OL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
-            
-              Oracle Linux 9
-            
-            Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-
-	Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000310 - OL 9 must have the chrony package installed.
-            
-              Oracle Linux 9
-            
-            Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000311 - OL 9 must enable the chronyd service.
-            
-              Oracle Linux 9
-            
-            Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-
-	Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000320 - OL 9 must have the USBGuard package installed.
-            
-              Oracle Linux 9
-            
-            The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
-
-	The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000321 - OL 9 must enable the USBGuard package.
-            
-              Oracle Linux 9
-            
-            The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
-
-	The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000330 - OL 9 must have the oracle-linux-manager package installed.
-            
-              Oracle Linux 9
-            
-            Oracle Linux Manager, based on the Spacewalk open source software, helps automate Oracle Linux systems management. This enables users to control the system software life cycle from initial installation through maintenance, software configuration, upgrades, and eventual decommissioning. Oracle Linux Manager also helps automate a kickstart installation, system configuration, and maintenance tasks, which enables rapid deployment of proven and consistent software configurations for Oracle Linux systems.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000340 - OL 9 must have the fapolicy module installed.
-            
-              Oracle Linux 9
-            
-            The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
-
-	Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
-
-	User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
-
-	OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
-
-	Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
-
-	Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000341 - OL 9 must enable the fapolicy module.
-            
-              Oracle Linux 9
-            
-            The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
-
-	Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
-
-	User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
-
-	OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
-
-	Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
-
-	Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000350 - OL 9 must have the rsyslog package installed.
-            
-              Oracle Linux 9
-            
-            rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing.
-
-	Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000351 - OL 9 must be configured so that the rsyslog service is active.
-            
-              Oracle Linux 9
-            
-            The rsyslog service must be running to provide logging services, which are essential to system administration.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000355 - OL 9 must have the packages required for encrypting offloaded audit logs installed.
-            
-              Oracle Linux 9
-            
-            The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000360 - OL 9 must enable the hardware random number generator entropy gatherer service.
-            
-              Oracle Linux 9
-            
-            The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
-
-	The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000370 - OL 9 must have the rng-tools package installed.
-            
-              Oracle Linux 9
-            
-            rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000380 - OL 9 must have the nss-tools package installed.
-            
-              Oracle Linux 9
-            
-            Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000390 - OL 9 must have the pcsc-lite package installed.
-            
-              Oracle Linux 9
-            
-            The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000400 - OL 9 must have the opensc package installed.
-            
-              Oracle Linux 9
-            
-            The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
-
-	The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
-
-	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000401 - OL 9 must be configured so that the pcscd service is active.
-            
-              Oracle Linux 9
-            
-            The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
-
-	The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000410 - OL 9 must have the libreswan package installed.
-            
-              Oracle Linux 9
-            
-            Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000430 - OL 9 must have the gnutls-utils package installed.
-            
-              Oracle Linux 9
-            
-            GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000440 - OL 9 must have the audit package installed.
-            
-              Oracle Linux 9
-            
-            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-	Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-	Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured OL 9 system.
-
-	Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000441 - OL 9 audit service must be enabled.
-            
-              Oracle Linux 9
-            
-            Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded.
-
-	Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-
-	Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000450 - OL 9 must have the audispd-plugins package installed.
-            
-              Oracle Linux 9
-            
-            audispd-plugins provides plug-ins for the real-time interface to the audit subsystem, audispd. These plug-ins can do things like relay events to remote machines or analyze events for suspicious behavior.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000495 - OL 9 must remove all software components after updated versions have been installed.
-            
-              Oracle Linux 9
-            
-            Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000496 - OL 9 must check the GPG signature of locally installed software packages before installation.
-            
-              Oracle Linux 9
-            
-            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-	All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000497 - OL 9 must check the GPG signature of software packages originating from external software repositories before installation.
-            
-              Oracle Linux 9
-            
-            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-	All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000498 - OL 9 must have GPG signature verification enabled for all software repositories.
-            
-              Oracle Linux 9
-            
-            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-	All software packages must be signed with a cryptographic key recognized and approved by the organization.
-
-	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000500 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
-            
-              Oracle Linux 9
-            
-            The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000505 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
-            
-              Oracle Linux 9
-            
-            The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000510 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
-            
-              Oracle Linux 9
-            
-            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000515 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
-            
-              Oracle Linux 9
-            
-            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000520 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
-            
-              Oracle Linux 9
-            
-            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000525 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
-            
-              Oracle Linux 9
-            
-            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000530 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-            
-              Oracle Linux 9
-            
-            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
-
-	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000535 - OL 9 must audit all uses of the unix_update command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000540 - OL 9 must audit all uses of the su command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000545 - OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000550 - OL 9 must audit all uses of the chage command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000555 - OL 9 must audit all uses of the chcon command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000560 - OL 9 must audit all uses of the setfacl command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000565 - OL 9 must audit all uses of the chsh command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000570 - OL 9 must audit all uses of the crontab command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000575 - OL 9 must audit all uses of the gpasswd command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000580 - OL 9 must audit all uses of the newgrp command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000585 - OL 9 must audit all uses of the pam_timestamp_check command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000590 - OL 9 must audit all uses of the passwd command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000595 - OL 9 must audit all uses of the postdrop command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000600 - OL 9 must audit all uses of the postqueue command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000605 - OL 9 must audit all uses of the ssh-agent command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000610 - OL 9 must audit all uses of the ssh-keysign command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000615 - OL 9 must audit all uses of the sudoedit command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000620 - OL 9 must audit all uses of the unix_chkpwd command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000625 - OL 9 must audit all uses of the userhelper command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000630 - OL 9 must audit all uses of the mount command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000635 - OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000640 - OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000645 - OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000650 - OL 9 must audit all uses of the semanage command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000655 - OL 9 must audit all uses of the setfiles command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000660 - OL 9 must audit all uses of the setsebool command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000665 - OL 9 must audit all uses of the chacl command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000670 - OL 9 must audit all uses of the sudo command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000675 - OL 9 must audit all uses of the usermod command.
-            
-              Oracle Linux 9
-            
-            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000680 - OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000685 - OL 9 must audit all uses of the delete_module system call.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000690 - OL 9 must audit all uses of the init_module and finit_module system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000695 - OL 9 must audit all uses of the kmod command.
-            
-              Oracle Linux 9
-            
-            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000700 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000705 - OL 9 must audit all uses of umount system calls.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-
-	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000710 - OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
-            
-              Oracle Linux 9
-            
-            Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
-
-	Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
-
-	It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.
-
-	To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
-
-	Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000715 - OL 9 must audit uses of the execve system call.
-            
-              Oracle Linux 9
-            
-            Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
-
-	Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-OS-000755-GPOS-00220
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000720 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000725 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
-            
-              Oracle Linux 9
-            
-            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000730 - OL 9 must be configured so that successful/unsuccessful uses of the init command generate an audit record.
-            
-              Oracle Linux 9
-            
-            Misuse of the init command may cause availability issues for the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000735 - OL 9 must be configured so that successful/unsuccessful uses of the poweroff command generate an audit record.
-            
-              Oracle Linux 9
-            
-            Misuse of the poweroff command may cause availability issues for the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000740 - OL 9 must be configured so that successful/unsuccessful uses of the reboot command generate an audit record.
-            
-              Oracle Linux 9
-            
-            Misuse of the reboot command may cause availability issues for the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000745 - OL 9 must be configured so that successful/unsuccessful uses of the shutdown command generate an audit record.
-            
-              Oracle Linux 9
-            
-            Misuse of the shutdown command may cause availability issues for the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000750 - OL 9 must enable auditing of processes that start prior to the audit daemon.
-            
-              Oracle Linux 9
-            
-            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000755 - OL 9 must label all offloaded audit logs before sending them to the central log server.
-            
-              Oracle Linux 9
-            
-            Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
-
-	When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
-
-	Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000760 - OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
-            
-              Oracle Linux 9
-            
-            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000765 - OL 9 audit system must take appropriate action when the audit storage volume is full.
-            
-              Oracle Linux 9
-            
-            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000770 - OL 9 audit system must take appropriate action when the audit files have reached maximum size.
-            
-              Oracle Linux 9
-            
-            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000775 - OL 9 must periodically flush audit records to disk to prevent the loss of audit records.
-            
-              Oracle Linux 9
-            
-            If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000785 - OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
-            
-              Oracle Linux 9
-            
-            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000790 - OL 9 audit log directory must be owned by root to prevent unauthorized read access.
-            
-              Oracle Linux 9
-            
-            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000795 - OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-
-	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000800 - OL 9 audit system must audit local events.
-            
-              Oracle Linux 9
-            
-            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-	If option "local_events" isn't set to "yes" only events from network will be aggregated.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000805 - OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
-            
-              Oracle Linux 9
-            
-            Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000810 - OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000815 - OL 9 must forward mail from postmaster to the root account using a postfix alias.
-            
-              Oracle Linux 9
-            
-            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000820 - OL 9 must take appropriate action when a critical audit processing failure occurs.
-            
-              Oracle Linux 9
-            
-            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-
-	Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00135
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000825 - The OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
-            
-              Oracle Linux 9
-            
-            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-
-	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-
-	This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
-
-	Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000830 - OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
-            
-              Oracle Linux 9
-            
-            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.
-
-	Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000835 - OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
-            
-              Oracle Linux 9
-            
-            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-
-	Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-	Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000840 - OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.
-            
-              Oracle Linux 9
-            
-            The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000845 - OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.
-            
-              Oracle Linux 9
-            
-            The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
-
-	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000850 - OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
-            
-              Oracle Linux 9
-            
-            To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
-
-	The task of allocating audit record storage capacity is usually performed during initial installation of OL 9.
-
-	Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000855 - OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
-            
-              Oracle Linux 9
-            
-            The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
-
-	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000860 - OL 9 must take appropriate action when the internal event queue is full.
-            
-              Oracle Linux 9
-            
-            The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-	Offloading is a common process in information systems with limited audit storage capacity.
-
-	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000865 - OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-            
-              Oracle Linux 9
-            
-            If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000870 - OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
-            
-              Oracle Linux 9
-            
-            If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000875 - OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
-            
-              Oracle Linux 9
-            
-            If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000880 - OL 9 must write audit records to disk.
-            
-              Oracle Linux 9
-            
-            Audit data should be synchronously written to disk to ensure log integrity. This setting ensures that all audit event data is written disk.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000885 - OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
-            
-              Oracle Linux 9
-            
-            If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000925 - OL 9 must enable certificate-based smart card authentication.
-            
-              Oracle Linux 9
-            
-            Without the use of multifactor authentication (MFA), the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.
-
-	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000930 - OL 9 must implement certificate status checking for multifactor authentication (MFA).
-            
-              Oracle Linux 9
-            
-            Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
-
-	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
-
-	OL 9 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function.
-
-	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000935 - OL 9 must prohibit the use of cached authenticators after one day.
-            
-              Oracle Linux 9
-            
-            If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-000940 - OL 9 must use the CAC smart card driver.
-            
-              Oracle Linux 9
-            
-            Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.
-
-	Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001000 - OL 9 must ensure the password complexity module is enabled in the system-auth file.
-            
-              Oracle Linux 9
-            
-            Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001001 - OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
-
-	OL 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
-	/etc/pam.d/password-auth
-	/etc/pam.d/system-auth
-
-	By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001005 - OL 9 must enforce password complexity by requiring that at least one uppercase character be used.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001010 - OL 9 must ensure the password complexity module is enabled in the password-auth file.
-            
-              Oracle Linux 9
-            
-            Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
-
-	Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001015 - OL 9 must enforce password complexity by requiring that at least one lowercase character be used.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001020 - OL 9 must enforce password complexity by requiring that at least one numeric character be used.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001025 - OL 9 must require the change of at least eight characters when passwords are changed.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords will not resemble previously compromised ones. Note that passwords changed on compromised systems will still be compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001030 - OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001035 - OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001040 - OL 9 must require the change of at least four character classes when passwords are changed.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001045 - OL 9 must enforce password complexity rules for the root account.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-
-	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
-
-	Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001050 - OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
-            
-              Oracle Linux 9
-            
-            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-	This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001055 - OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
-            
-              Oracle Linux 9
-            
-            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-	This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001060 - OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
-            
-              Oracle Linux 9
-            
-            Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
-
-	OL 9 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. 
-
-	FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001065 - OL 9 password-auth must be configured to use a sufficient number of hashing rounds.
-            
-              Oracle Linux 9
-            
-            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-	Using more hashing rounds makes password cracking attacks more difficult.
-
-	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001070 - OL 9 system-auth must be configured to use a sufficient number of hashing rounds.
-            
-              Oracle Linux 9
-            
-            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-	Using more hashing rounds makes password cracking attacks more difficult.
-
-	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001075 - OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
-            
-              Oracle Linux 9
-            
-            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
-
-	Using more hashing rounds makes password cracking attacks more difficult.
-
-	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001080 - OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
-            
-              Oracle Linux 9
-            
-            The system must use a strong hashing algorithm to store the password.
-
-	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
-
-	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001085 - OL 9 passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.
-            
-              Oracle Linux 9
-            
-            Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
-
-	Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001090 - OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.
-            
-              Oracle Linux 9
-            
-            Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001095 - OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
-            
-              Oracle Linux 9
-            
-            Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
-
-	Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001100 - OL 9 user account passwords must have a 60-day maximum password lifetime restriction.
-            
-              Oracle Linux 9
-            
-            Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If OL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 9 passwords could be compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001105 - OL 9 passwords must be created with a minimum of 15 characters.
-            
-              Oracle Linux 9
-            
-            The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-
-	Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
-
-	OL 9 uses "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
-
-	The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, but they will not count toward the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
-
-	The DOD minimum password requirement is 15 characters.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001110 - OL 9 must not allow blank or null passwords.
-            
-              Oracle Linux 9
-            
-            If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
-          
-          
-            
-            
-          
-        
-        
-          
-            OL09-00-001115 - OL 9 must require a boot loader superuser password.
-            
-              Oracle Linux 9
-            
-            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
-
-	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001120 - OL 9 must enforce password complexity by requiring that at least one special character be used.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. OL 9 uses "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001125 - OL 9 must prevent the use of dictionary words for passwords.
-            
-              Oracle Linux 9
-            
-            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If OL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-001130 - OL 9 must not have accounts configured with blank or null passwords.
-            
-              Oracle Linux 9
-            
-            If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002000 - OL 9 file system automount function must be disabled unless required.
-            
-              Oracle Linux 9
-            
-            An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
-
-	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002010 - OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
-            
-              Oracle Linux 9
-            
-            When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to authenticate the remote mount request more securely.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002011 - OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002012 - OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
-            
-              Oracle Linux 9
-            
-            The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002013 - OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002030 - OL 9 must mount /boot with the nodev option.
-            
-              Oracle Linux 9
-            
-            The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002031 - OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002032 - OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002040 - OL 9 must mount /dev/shm with the nodev option.
-            
-              Oracle Linux 9
-            
-            The nodev mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002041 - OL 9 must mount /dev/shm with the noexec option.
-            
-              Oracle Linux 9
-            
-            The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002042 - OL 9 must mount /dev/shm with the nosuid option.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002050 - OL 9 must mount /tmp with the nodev option.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002051 - OL 9 must mount /tmp with the noexec option.
-            
-              Oracle Linux 9
-            
-            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002052 - OL 9 must mount /tmp with the nosuid option.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002060 - OL 9 must mount /var with the nodev option.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002061 - OL 9 must mount /var/log with the nodev option.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002062 - OL 9 must mount /var/log with the noexec option.
-            
-              Oracle Linux 9
-            
-            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002063 - OL 9 must mount /var/log with the nosuid option.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002064 - OL 9 must mount /var/log/audit with the nodev option.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002065 - OL 9 must mount /var/log/audit with the noexec option.
-            
-              Oracle Linux 9
-            
-            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002066 - OL 9 must mount /var/log/audit with the nosuid option.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002067 - OL 9 must mount /var/tmp with the nodev option.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002068 - OL 9 must mount /var/tmp with the noexec option.
-            
-              Oracle Linux 9
-            
-            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002069 - OL 9 must mount /var/tmp with the nosuid option.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002070 - OL 9 must prevent device files from being interpreted on file systems that contain user home directories.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002071 - OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
-            
-              Oracle Linux 9
-            
-            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002072 - OL 9 must prevent code from being executed on file systems that contain user home directories.
-            
-              Oracle Linux 9
-            
-            The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002080 - OL 9 must prevent special devices on nonroot local partitions.
-            
-              Oracle Linux 9
-            
-            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-
-	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002100 - OL 9 must disable the graphical user interface automount function unless required.
-            
-              Oracle Linux 9
-            
-            Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
-
-	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002120 - OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
-            
-              Oracle Linux 9
-            
-            A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
-
-	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002121 - OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
-            
-              Oracle Linux 9
-            
-            Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
-
-	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002122 - OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-
-	For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
-
-	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002123 - OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-
-	The session lock is implemented at the point where session activity can be determined and/or controlled.
-
-	Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
-
-	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002124 - OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
-
-	Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002125 - OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002126 - OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
-            
-              Oracle Linux 9
-            
-            A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-
-	The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-
-	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002127 - OL 9 must disable the ability of a user to restart the system from the login screen.
-            
-              Oracle Linux 9
-            
-            A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002128 - OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002129 - OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
-            
-              Oracle Linux 9
-            
-            A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002150 - OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
-            
-              Oracle Linux 9
-            
-            Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-
-	For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
-
-	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002160 - OL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.
-            
-              Oracle Linux 9
-            
-            A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-
-	The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-
-	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002161 - OL 9 must not allow unattended or automatic logon via the graphical user interface.
-            
-              Oracle Linux 9
-            
-            Failure to restrict system access to authenticated users negatively impacts operating system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002301 - OL 9 must define default permissions for the bash shell.
-            
-              Oracle Linux 9
-            
-            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002302 - OL 9 must define default permissions for the c shell.
-            
-              Oracle Linux 9
-            
-            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002303 - OL 9 must define default permissions for the system default profile.
-            
-              Oracle Linux 9
-            
-            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002304 - OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-            
-              Oracle Linux 9
-            
-            Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002320 - OL 9 must disable the chrony daemon from acting as a server.
-            
-              Oracle Linux 9
-            
-            Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
-
-	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002321 - OL 9 must disable network management of the chrony daemon.
-            
-              Oracle Linux 9
-            
-            Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
-
-	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002330 - OL 9 must enable Linux audit logging for the USBGuard daemon.
-            
-              Oracle Linux 9
-            
-            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
-
-	Audit records can be generated from various components within the information system (e.g., module or policy filter).
-
-	The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
-
-	DOD has defined the list of events for which OL 9 will provide an audit record generation capability as the following:
-
-	1. Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
-
-	2. Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
-
-	3. All account creations, modifications, disabling, and terminations; and 
-
-	4. All kernel module load, unload, and restart actions.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002340 - OL 9 must log SSH connection attempts and failures to the server.
-            
-              Oracle Linux 9
-            
-            SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002341 - OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
-            
-              Oracle Linux 9
-            
-            GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002342 - OL 9 must force a frequent session key renegotiation for SSH connections to the server.
-            
-              Oracle Linux 9
-            
-            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-
-	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-
-	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-
-	Session key regeneration limits the chances of a session key becoming compromised.
-
-	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPOS-00188
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002343 - OL 9 SSHD must not allow blank passwords.
-            
-              Oracle Linux 9
-            
-            If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002344 - OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
-            
-              Oracle Linux 9
-            
-            When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002345 - OL 9 must not permit direct logons to the root account using remote access via SSH.
-            
-              Oracle Linux 9
-            
-            Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002346 - OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
-            
-              Oracle Linux 9
-            
-            Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-
-	Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
-
-	OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
-
-	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002347 - OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
-            
-              Oracle Linux 9
-            
-            Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-
-	Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
-
-	OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, SSHD will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
-
-	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002348 - OL 9 SSH daemon must not allow rhosts authentication.
-            
-              Oracle Linux 9
-            
-            SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002349 - OL 9 SSH daemon must not allow known hosts authentication.
-            
-              Oracle Linux 9
-            
-            Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002350 - OL 9 SSH daemon must disable remote X connections for interactive users.
-            
-              Oracle Linux 9
-            
-            When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002351 - OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
-            
-              Oracle Linux 9
-            
-            If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002352 - OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
-            
-              Oracle Linux 9
-            
-            Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002354 - OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
-            
-              Oracle Linux 9
-            
-            When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002355 - OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
-            
-              Oracle Linux 9
-            
-            If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002356 - OL 9 SSH daemon must not allow Kerberos authentication.
-            
-              Oracle Linux 9
-            
-            Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002357 - OL 9 must not allow a noncertificate trusted host SSH logon to the system.
-            
-              Oracle Linux 9
-            
-            SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002358 - OL 9 must not allow users to override SSH environment variables.
-            
-              Oracle Linux 9
-            
-            SSH environment options potentially allow users to bypass access restriction in some configurations.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002359 - OL 9 SSHD must accept public key authentication.
-            
-              Oracle Linux 9
-            
-            Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
-
-	Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002360 - OL 9 must require reauthentication when using the "sudo" command.
-            
-              Oracle Linux 9
-            
-            Without reauthentication, users may access resources or perform tasks for which they do not have authorization. 
-
-	When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command.
-
-	If the value is set to an integer less than "0", the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002361 - OL 9 must restrict the use of the su command.
-            
-              Oracle Linux 9
-            
-            The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002362 - OL 9 must require users to reauthenticate for privilege escalation.
-            
-              Oracle Linux 9
-            
-            Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
-
-	When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002363 - OL 9 must require users to provide a password for privilege escalation.
-            
-              Oracle Linux 9
-            
-            Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
-
-	When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002364 - OL 9 must not be configured to bypass password requirements for privilege escalation.
-            
-              Oracle Linux 9
-            
-            Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002370 - OL 9 must disable the use of user namespaces.
-            
-              Oracle Linux 9
-            
-            User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002380 - OL 9 must disable the kernel.core_pattern.
-            
-              Oracle Linux 9
-            
-            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002381 - OL 9 must disable core dump backtraces.
-            
-              Oracle Linux 9
-            
-            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
-
-	Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002382 - OL 9 must disable storing core dumps.
-            
-              Oracle Linux 9
-            
-            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002383 - OL 9 must disable core dumps for all users.
-            
-              Oracle Linux 9
-            
-            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002384 - OL 9 must disable acquiring, saving, and processing core dumps.
-            
-              Oracle Linux 9
-            
-            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002385 - OL 9 must be configured so that the kdump service is disabled.
-            
-              Oracle Linux 9
-            
-            Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002390 - OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
-            
-              Oracle Linux 9
-            
-            Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
-
-	Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
-
-	SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.
-
-	Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002391 - OL 9 must enable mitigations against processor-based vulnerabilities.
-            
-              Oracle Linux 9
-            
-            Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
-
-	Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002392 - OL 9 must disable the ability of systemd to spawn an interactive boot process.
-            
-              Oracle Linux 9
-            
-            Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002393 - OL 9 must disable virtual system calls.
-            
-              Oracle Linux 9
-            
-            System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
-
-	Virtual system calls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling virtual system calls help to prevent return-oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on OL 6 components, virtual system calls will have to be enabled so the components function properly.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002394 - OL 9 must clear the page allocator to prevent use-after-free attacks.
-            
-              Oracle Linux 9
-            
-            Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002400 - OL 9 systemd-journald service must be enabled.
-            
-              Oracle Linux 9
-            
-            In the event of a system failure, OL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002401 - OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
-            
-              Oracle Linux 9
-            
-            By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
-
-	Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002402 - OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
-            
-              Oracle Linux 9
-            
-            By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
-
-	Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002403 - OL 9 debug-shell systemd service must be disabled.
-            
-              Oracle Linux 9
-            
-            The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002404 - OL 9 IP tunnels must use 140-3 approved cryptographic algorithms.
-            
-              Oracle Linux 9
-            
-            Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002406 - OL 9 must restrict access to the kernel message buffer.
-            
-              Oracle Linux 9
-            
-            Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
-
-	This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
-
-	There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
-
-	Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
-
-	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002407 - OL 9 must prevent kernel profiling by nonprivileged users.
-            
-              Oracle Linux 9
-            
-            Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
-
-	This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
-
-	There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
-
-	Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
-
-	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002408 - OL 9 must restrict exposed kernel pointer addresses access.
-            
-              Oracle Linux 9
-            
-            Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0".
-
-	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002409 - OL 9 must disable access to network bpf system call from nonprivileged processes.
-            
-              Oracle Linux 9
-            
-            Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002410 - OL 9 must restrict usage of ptrace to descendant processes.
-            
-              Oracle Linux 9
-            
-            Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002411 - OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
-            
-              Oracle Linux 9
-            
-            Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
-
-	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002412 - OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
-            
-              Oracle Linux 9
-            
-            A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002413 - OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
-            
-              Oracle Linux 9
-            
-            A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002415 - OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
-            
-              Oracle Linux 9
-            
-            Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.
-
-	This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based on mission needs and the operational environment for each system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002416 - OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
-            
-              Oracle Linux 9
-            
-            By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002417 - OL 9 must maintain an account lock until the locked account is released by an administrator.
-            
-              Oracle Linux 9
-            
-            By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002419 - OL 9 file systems must not contain shosts.equiv files.
-            
-              Oracle Linux 9
-            
-            The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002420 - OL 9 file systems must not contain .shosts files.
-            
-              Oracle Linux 9
-            
-            The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002421 - OL 9 must implement DOD-approved encryption in the bind package.
-            
-              Oracle Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-	OL 9 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
-
-	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002423 - OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-            
-              Oracle Linux 9
-            
-            ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002424 - OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
-            
-              Oracle Linux 9
-            
-            Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002425 - OL 9 must be configured to prevent unrestricted mail relaying.
-            
-              Oracle Linux 9
-            
-            If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002427 - OL 9 must be configured so that local initialization files do not execute world-writable programs.
-            
-              Oracle Linux 9
-            
-            If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002428 - OL 9 must prevent the loading of a new kernel for later execution.
-            
-              Oracle Linux 9
-            
-            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-
-	Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002430 - OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
-            
-              Oracle Linux 9
-            
-            When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002502 - OL 9 SSH private host key files must have mode 0640 or less permissive.
-            
-              Oracle Linux 9
-            
-            If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002503 - OL 9 SSH public host key files must have mode 0644 or less permissive.
-            
-              Oracle Linux 9
-            
-            If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002504 - OL 9 system commands must be group-owned by root or a system account.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002505 - OL 9 system commands must be owned by root.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002506 - OL 9 system commands must have mode 755 or less permissive.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002507 - OL 9 SSH server configuration file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002508 - OL 9 SSH server configuration file must be owned by root.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002509 - OL 9 SSH server configuration file must have mode 0600 or less permissive.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002513 - OL 9 local initialization files must have mode 0740 or less permissive.
-            
-              Oracle Linux 9
-            
-            Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002515 - OL 9 local interactive user home directories must have mode 0750 or less permissive.
-            
-              Oracle Linux 9
-            
-            Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002520 - OL 9 library directories must be group-owned by root or a system account.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002521 - OL 9 library directories must be owned by root.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002522 - OL 9 library directories must have mode 755 or less permissive.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002523 - OL 9 library files must be group-owned by root or a system account.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002524 - OL 9 library files must be owned by root.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002525 - OL 9 library files must have mode 755 or less permissive.
-            
-              Oracle Linux 9
-            
-            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
-
-	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002530 - OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "root" group is a highly privileged group. The group-owner of this file should not have any access privileges.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002531 - OL 9 /boot/grub2/grub.cfg file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002532 - OL 9 /etc/group file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002533 - OL 9 /etc/group- file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002534 - OL 9 /etc/group file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002535 - OL 9 /etc/group- file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002536 - OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002537 - OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002538 - OL 9 /etc/gshadow file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002539 - OL 9 /etc/gshadow- file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002540 - OL 9 /etc/gshadow file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002541 - OL 9 /etc/gshadow- file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002542 - OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002543 - OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002544 - OL 9 /etc/passwd file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002545 - OL 9 /etc/passwd- file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002546 - OL 9 /etc/passwd file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002547 - OL 9 /etc/passwd- file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002548 - OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002549 - OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002550 - OL 9 /etc/shadow file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002551 - OL 9 /etc/shadow- file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002552 - OL 9 /etc/shadow file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002553 - OL 9 /etc/shadow- file must be owned by root.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002554 - OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002555 - OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
-            
-              Oracle Linux 9
-            
-            The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002560 - OL 9 /var/log directory must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002561 - OL 9 /var/log directory must be owned by root.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002562 - OL 9 /var/log directory must have mode 0755 or less permissive.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002563 - OL 9 /var/log/messages file must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002564 - OL 9 /var/log/messages file must be owned by root.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002565 - OL 9 /var/log/messages file must have mode 0640 or less permissive.
-            
-              Oracle Linux 9
-            
-            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
-
-	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002570 - OL 9 audit tools must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002571 - OL 9 audit tools must be owned by root.
-            
-              Oracle Linux 9
-            
-            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002572 - OL 9 audit tools must have a mode of 0755 or less permissive.
-            
-              Oracle Linux 9
-            
-            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
-
-	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
-
-	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002580 - OL 9 cron configuration directories must have a mode of 0700 or less permissive.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002581 - OL 9 cron configuration files directory must be group-owned by root.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002582 - OL 9 cron configuration files directory must be owned by root.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002583 - OL 9 /etc/crontab file must have mode 0600.
-            
-              Oracle Linux 9
-            
-            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003000 - OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
-            
-              Oracle Linux 9
-            
-            An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003001 - OL 9 duplicate User IDs (UIDs) must not exist for interactive users.
-            
-              Oracle Linux 9
-            
-            To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
-
-	Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003002 - OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
-            
-              Oracle Linux 9
-            
-            If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003005 - OL 9 interactive users must have a primary group that exists.
-            
-              Oracle Linux 9
-            
-            If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003006 - OL 9 groups must have unique Group ID (GID).
-            
-              Oracle Linux 9
-            
-            To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003010 - OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
-            
-              Oracle Linux 9
-            
-            Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003020 - OL 9 must automatically lock an account when three unsuccessful logon attempts occur.
-            
-              Oracle Linux 9
-            
-            By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-
-	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003021 - OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-            
-              Oracle Linux 9
-            
-            By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
-
-	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003022 - OL 9 must log username information when unsuccessful logon attempts occur.
-            
-              Oracle Linux 9
-            
-            Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003023 - OL 9 must ensure account lockouts persist.
-            
-              Oracle Linux 9
-            
-            Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003051 - OL 9 system accounts must not have an interactive login shell.
-            
-              Oracle Linux 9
-            
-            Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003052 - OL 9 local interactive user accounts must be assigned a home directory upon creation.
-            
-              Oracle Linux 9
-            
-            If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003065 - OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
-            
-              Oracle Linux 9
-            
-            Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
-
-	Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
-
-	Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
-
-	Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-003070 - OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
-            
-              Oracle Linux 9
-            
-            Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005000 - OL 9 remote access methods must be monitored.
-            
-              Oracle Linux 9
-            
-            Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005005 - OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
-            
-              Oracle Linux 9
-            
-            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-	Offloading is a common process in information systems with limited audit storage capacity.
-
-	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-	Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.
-
-	Examples of each configuration:
-	UDP *.* @remotesystemname
-	TCP *.* @@remotesystemname
-	RELP *.* :omrelp:remotesystemname:2514
-	Note that a port number was given as there is no standard port for RELP.
-
-	Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005015 - OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
-            
-              Oracle Linux 9
-            
-            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-	Offloading is a common process in information systems with limited audit storage capacity.
-
-	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-	"Rsyslog" supported authentication modes include:
-	anon - anonymous authentication
-	x509/fingerprint - certificate fingerprint authentication
-	x509/certvalid - certificate validation only
-	x509/name - certificate validation and subject name authentication
-
-	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005020 - OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-            
-              Oracle Linux 9
-            
-            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-	Offloading is a common process in information systems with limited audit storage capacity.
-
-	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-	"Rsyslog" supported authentication modes include:
-	anon - anonymous authentication
-	x509/fingerprint - certificate fingerprint authentication
-	x509/certvalid - certificate validation only
-	x509/name - certificate validation and subject name authentication
-
-	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005025 - OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-            
-              Oracle Linux 9
-            
-            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-
-	Offloading is a common process in information systems with limited audit storage capacity.
-
-	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
-
-	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-005030 - OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
-            
-              Oracle Linux 9
-            
-            Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
-
-	If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006000 - OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
-            
-              Oracle Linux 9
-            
-            DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
-
-	This requirement addresses the configuration of OL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006002 - OL 9 must configure a DNS processing mode set be Network Manager.
-            
-              Oracle Linux 9
-            
-            To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006003 - OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
-            
-              Oracle Linux 9
-            
-            To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006004 - OL 9 network interfaces must not be in promiscuous mode.
-            
-              Oracle Linux 9
-            
-            Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.
-
-	If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006020 - OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
-            
-              Oracle Linux 9
-            
-            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-	This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006021 - OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
-            
-              Oracle Linux 9
-            
-            Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
-
-	Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006022 - OL 9 must log IPv4 packets with impossible addresses.
-            
-              Oracle Linux 9
-            
-            The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006023 - OL 9 must log IPv4 packets with impossible addresses by default.
-            
-              Oracle Linux 9
-            
-            The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006024 - OL 9 must use reverse path filtering on all IPv4 interfaces.
-            
-              Oracle Linux 9
-            
-            Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006025 - OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-              Oracle Linux 9
-            
-            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-	This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006026 - OL 9 must not forward IPv4 source-routed packets by default.
-            
-              Oracle Linux 9
-            
-            Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
-
-	Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006027 - OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
-            
-              Oracle Linux 9
-            
-            Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006028 - OL 9 must not enable IPv4 packet forwarding unless the system is a router.
-            
-              Oracle Linux 9
-            
-            Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006030 - OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
-            
-              Oracle Linux 9
-            
-            Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
-
-	Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006031 - OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
-            
-              Oracle Linux 9
-            
-            Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006032 - OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
-            
-              Oracle Linux 9
-            
-            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
-
-	The ability to send ICMP redirects is only appropriate for systems acting as routers.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006033 - OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
-            
-              Oracle Linux 9
-            
-            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
-
-	The ability to send ICMP redirects is only appropriate for systems acting as routers.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006040 - OL 9 must not accept router advertisements on all IPv6 interfaces.
-            
-              Oracle Linux 9
-            
-            An illicit router advertisement message could result in a man-in-the-middle attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006041 - OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-            
-              Oracle Linux 9
-            
-            An illicit ICMP redirect message could result in a man-in-the-middle attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006042 - OL 9 must not forward IPv6 source-routed packets.
-            
-              Oracle Linux 9
-            
-            Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006043 - OL 9 must not enable IPv6 packet forwarding unless the system is a router.
-            
-              Oracle Linux 9
-            
-            IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006044 - OL 9 must not accept router advertisements on all IPv6 interfaces by default.
-            
-              Oracle Linux 9
-            
-            An illicit router advertisement message could result in a man-in-the-middle attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006045 - OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-            
-              Oracle Linux 9
-            
-            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006046 - OL 9 must not forward IPv6 source-routed packets by default.
-            
-              Oracle Linux 9
-            
-            Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-
-	Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required.
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-006050 - OL 9 must be configured to use TCP syncookies.
-            
-              Oracle Linux 9
-            
-            Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 
-
-	Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
-
-	Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-008000 - OL 9 audit system must protect logon UIDs from unauthorized change.
-            
-              Oracle Linux 9
-            
-            If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
-
-	Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-008005 - OL 9 audit system must protect auditing rules from unauthorized change.
-            
-              Oracle Linux 9
-            
-            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
-
-	Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 9 system activity.
-
-	In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable, and a system administrator could then investigate the unauthorized changes.
-
-	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
-          
-          
-            
-          
-        
-        
-          
-            OL09-00-002584 - OL 9 must audit any script or executable called by cron as root or by any privileged user.
-            
-              Oracle Linux 9
-            
-            Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 0755 or more restrictive, and should have no extended rights that allow any nonprivileged user to modify the script or executable.
-          
-          
-            
-          
-        
-        
-          
-            RHEL-09-255060 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
-            
-              Red Hat Enterprise Linux 9
-            
-            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-RHEL 9 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-          
-          
-            
-          
-        
-      
-      
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-          
-          
-        
-        
-          
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          
-          
-        
-      
-      
-        
-          /etc/security/faillock.conf
-          ^\s*even_deny_root\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:10001201
-            oval:mil.disa.stig.ind:obj:10001202
-          
-        
-        
-          /proc/cmdline
-          \bipv6\.disable=1\b
-          1
-        
-        
-          /etc/audit/auditd.conf
-          ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:20000003
-            oval:mil.disa.stig.ind:obj:20000004
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          ^\*\.\*\s+action\((\s*(?:[^#\)]*(?:#.*$)?\n)*[^#\)]*)\)
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^\*\.\*\s+action\((\s*(?:[^#\)]*(?:#.*$)?\n)*[^#\)]*)\)
-          1
-        
-        
-          /etc/libuser.conf
-          ^\[defaults]((?:\r?\n(?:[^[\r\n].*)?)*)
-          1
-        
-        
-          /etc/libuser.conf
-          ^\s*crypt_style\s*=\s*(\S+)\s*$
-          1
-        
-        
-          /etc/login.defs
-          ^\s*ENCRYPT_METHOD\s+([^#\r\n]*)
-          1
-        
-        
-          /etc/shadow
-          ^[^:]+:([^:]*):
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23023200
-            oval:mil.disa.stig.ind:ste:23023200
-            oval:mil.disa.stig.ind:ste:23023201
-          
-        
-        
-          /etc/login.defs
-          ^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\b
-          1
-        
-        
-          /etc/login.defs
-          ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b
-          1
-        
-        
-          /etc/pam.d
-          password-auth
-          ^[ \t]*password[ \t]+sufficient[ \t]+pam_unix\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]))sha512(?:[ \t]|$)
-          1
-        
-        
-          /sys/fs/selinux/enforce
-          ^(\d+)$
-          1
-        
-        
-          /etc/selinux/config
-          ^SELINUX=(.*)\s*$
-          1
-        
-        
-          /etc/yum.repos.d
-          \.repo$
-          ^\s*\[[^]]+\]\s*\n(?:[^[]*\n)*
-          1
-        
-        
-          /etc/dnf/dnf.conf
-          ^\s*localpkg_gpgcheck\s*=\s*(\w+)\b$
-          1
-        
-        
-          /etc
-          sysctl.conf
-          (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026601
-            oval:mil.disa.stig.ind:obj:23026602
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026701
-            oval:mil.disa.stig.ind:obj:23026702
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026801
-            oval:mil.disa.stig.ind:obj:23026802
-          
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23026900
-            oval:mil.disa.stig.ind:obj:23026901
-          
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23027001
-            oval:mil.disa.stig.ind:obj:23027002
-          
-        
-        
-          
-          /etc/sudoers
-          ^(?!#).*\s+NOPASSWD.*$
-          1
-        
-        
-          
-          /etc/sudoers.d
-          ^.*$
-          ^(?!#).*\s+NOPASSWD.*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23028000
-            oval:mil.disa.stig.ind:obj:23028001
-          
-        
-        
-          /etc/dnf/dnf.conf
-          ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$
-          1
-        
-        
-          /etc/selinux/config
-          ^\s*SELINUXTYPE\s*=\s*(\w+)\s*$
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)StrictModes(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)StrictModes(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23028800
-            oval:mil.disa.stig.ind:obj:23028801
-          
-        
-        
-          /etc/fstab
-          ^[^# \t]+\s+/var\s+
-          1
-        
-        
-          /etc/fstab
-          
-          1
-        
-        
-          
-          /etc/audit/auditd.conf
-          ^\s*log_file\s*=\s*(\S+)/\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^[^# \t]+\s+/tmp\s+
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)PermitRootLogin(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)PermitRootLogin(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23029600
-            oval:mil.disa.stig.ind:obj:23029601
-          
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
-          0
-        
-        
-          /etc/mtab
-          ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
-          0
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$
-          1
-        
-        
-          
-          ^.*\.conf$
-          ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23031100
-            oval:mil.disa.stig.ind:obj:23031101
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23031302
-            oval:mil.disa.stig.ind:obj:23031303
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23031304
-            oval:mil.disa.stig.ind:obj:23031305
-          
-        
-        
-          /etc/security/limits.conf
-          ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
-          1
-        
-        
-          /etc/security/limits.d
-          \.conf$
-          ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
-          1
-        
-        
-          /etc/security/limits.conf
-          ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
-          1
-        
-        
-          /etc/security/limits.d
-          \.conf$
-          ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
-          1
-        
-        
-          /etc/systemd/coredump.conf
-          ^\s*Storage\s*=\s*(\w*)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/systemd/coredump.conf
-          ^\s*ProcessSizeMax\s*=\s*(\w*)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/nsswitch.conf
-          ^\s*hosts:\s*(.*)$
-          1
-        
-        
-          oval:mil.disa.stig.ind:var:23031600
-        
-        
-          /etc/resolv.conf
-          ^nameserver\s+(.*)$
-          1
-        
-        
-          /etc/login.defs
-          ^\s*CREATE_HOME\s+([^#\s]+)
-          1
-        
-        
-          /etc/gdm/custom.conf
-          ^\s*\[daemon\]\s+[#\s\w=]*^\s*AutomaticLoginEnable=(\w+)\s*$
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*deny\s*=\s*([\d]+)\s*$
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*fail_interval\s*=\s*([\d]+)\s*$
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*unlock_time\s*=\s*([\d]+)\s*$
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*dir\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*audit\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23034601
-            oval:mil.disa.stig.ind:obj:23034602
-          
-        
-        
-          /etc/security/limits.conf
-          ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
-          1
-        
-        
-          /etc/security/limits.d
-          .*\.conf$
-          ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23034604
-            oval:mil.disa.stig.ind:obj:23034605
-          
-        
-        
-          /etc/security/limits.conf
-          ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
-          1
-        
-        
-          /etc/security/limits.d
-          .*\.conf$
-          ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
-          1
-        
-        
-          
-          .*
-          ^\[org/gnome/settings-daemon/peripherals/smartcard](?:\r?\n(?:[^[\r\n].*)?)*
-          1
-        
-        
-          /etc/pam.d/password-auth
-          ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23035701
-            oval:mil.disa.stig.ind:obj:23035702
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23035801
-            oval:mil.disa.stig.ind:obj:23035802
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23035901
-            oval:mil.disa.stig.ind:obj:23035902
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23036001
-            oval:mil.disa.stig.ind:obj:23036002
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23036101
-            oval:mil.disa.stig.ind:obj:23036102
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23036201
-            oval:mil.disa.stig.ind:obj:23036202
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23036301
-            oval:mil.disa.stig.ind:obj:23036302
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/shadow
-          ^root:[^:]*:[^:]*:0*:
-          1
-        
-        
-          /etc/shadow
-          ^([^:]*):[^:]*:[^:]*:0*:
-          1
-        
-        
-          /etc/passwd
-          ^nobody:[^:]*:([0-9]+):
-          1
-        
-        
-          /etc/login.defs
-          ^\s*PASS_MIN_DAYS\s+(\d*)
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23036901
-            oval:mil.disa.stig.ind:obj:23036902
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/default/useradd
-          (?i)^\s*INACTIVE\s*=\s*(-?\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23037501
-            oval:mil.disa.stig.ind:obj:23037502
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/sssd/sssd.conf
-          ^\s*cache_credentials\s*=\s*true\b$
-          1
-        
-        
-          /etc/sssd/sssd.conf
-          ^\s*offline_credentials_expiration\s*=\s*(\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/sssd/conf.d
-          ^.+\.conf$
-          ^\s*cache_credentials\s*=\s*true\b$
-          1
-        
-        
-          
-          /etc/sssd/conf.d
-          ^.+\.conf$
-          ^\s*offline_credentials_expiration\s*=\s*(\d*)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23037600
-            oval:mil.disa.stig.ind:obj:23037603
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23037602
-            oval:mil.disa.stig.ind:obj:23037605
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23037701
-            oval:mil.disa.stig.ind:obj:23037702
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*dictcheck\s*=\s*([-\d]+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*dictcheck\s*=\s*([-\d]+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/login.defs
-          ^\s*FAIL_DELAY\s+(\d+)\s*$
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/login.defs
-          ^\s*UMASK\s+([^#\s]+)
-          1
-        
-        
-          /etc/csh.cshrc
-          ^\s*(?i)umask\s*(\d+)\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*action_mail_acct\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/
-          aliases
-          ^\s*postmaster:\s*root\s*$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*disk_error_action\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*disk_full_action\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*local_events\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*name_format\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*log_format\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/audit/audit.rules
-          \n[ \t]*-e[ \t]+2\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^--loginuid-immutable$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/shadow(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/security/opasswd(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/passwd(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/gshadow(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/group(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/sudoers(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/sudoers.d/?(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chage\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=\/usr\/bin\/chcon\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/ssh-agent\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/passwd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/mount\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/umount\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/unix_update\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/postdrop\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/postqueue\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/semanage\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/setfiles\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/userhelper\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/setsebool\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/unix_chkpwd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/libexec/openssh/ssh-keysign\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/setfacl\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/pam_timestamp_check\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/newgrp\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/gpasswd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/crontab\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chsh\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/sudo\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/usermod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chacl\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/kmod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/var/log/lastlog(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /boot/loader/entries
-          ^.*\.conf$
-          ^options\s+.*\baudit_backlog_limit=(\d+)\b
-          1
-        
-        
-          /etc/default/grub
-          ^GRUB_CMDLINE_LINUX=".*\baudit_backlog_limit=(\d+)\b.*"
-          1
-        
-        
-          /etc/usbguard/usbguard-daemon.conf
-          ^\s*AuditBackend\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/auditctl\s+\S+
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/auditd\s+\S+
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/ausearch\s+\S+
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/aureport\s+\S+
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/autrace\s+\S+
-          1
-        
-        
-          /etc/aide.conf
-          ^\s*/usr/sbin/augenrules\s+\S+
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*overflow_action\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23048101
-            oval:mil.disa.stig.ind:obj:23048102
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          ^\$ActionSendStreamDriverMode\s+(\S+)\s*$
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^\$ActionSendStreamDriverMode\s+(\S+)\s*$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*space_left\s*=\s*([\d]+)%\s*(?:#.*)?$
-          1
-        
-        
-          /etc/chrony.conf
-          ^[ \t]*port[ \t]+(\d+)[ \t]*$
-          1
-        
-        
-          /etc/chrony.conf
-          ^[ \t]*cmdport[ \t]+0[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+atm[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+atm[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+can[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+sctp[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+sctp[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+tipc[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+tipc[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+cramfs[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+cramfs[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*install[ \t]+cramfs[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*blacklist[ \t]+cramfs[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+firewire-core[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+firewire-core[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+usb-storage[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+usb-storage[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.d
-          .*
-          ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          oval:mil.disa.stig.linux:var:23051100
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          oval:mil.disa.stig.ind:var:23051400
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          oval:mil.disa.stig.ind:var:23051500
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          oval:mil.disa.stig.defs:var:23051600
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          oval:mil.disa.stig.linux:var:23051700
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/firewalld/firewalld.conf
-          ^\s*FirewallBackend\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config
-          ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s*
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s*
-          1
-        
-        
-          /etc/systemd/system.conf
-          ^\s*CtrlAltDelBurstAction\s*=\s*(\S+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23053902
-            oval:mil.disa.stig.ind:obj:23053905
-          
-        
-        
-          
-          \.conf$
-          (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054502
-            oval:mil.disa.stig.ind:obj:23054503
-          
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-          \.conf$
-          (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054601
-            oval:mil.disa.stig.ind:obj:23054602
-          
-        
-        
-          
-          \.conf$
-          ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054701
-            oval:mil.disa.stig.ind:obj:23054702
-          
-        
-        
-          
-          \.conf$
-          ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23054801
-            oval:mil.disa.stig.ind:obj:23054802
-          
-        
-        
-          /etc/postfix/main.cf
-          ^smtpd_client_restrictions[ \t]*=[ \t]*permit_mynetworks[, \t]+reject[ \t]*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23055501
-            oval:mil.disa.stig.ind:obj:23055502
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23055601
-            oval:mil.disa.stig.ind:obj:23055602
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)X11useLocalhost(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*(?i)X11useLocalhost(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)LogLevel(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)LogLevel(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23481500
-            oval:mil.disa.stig.ind:obj:23481501
-          
-        
-        
-          /etc/sudoers
-          ^\s*Defaults\s+!targetpw\s*$
-          1
-        
-        
-          /etc/sudoers
-          ^\s*[#@]includedir\s+(\S+)\s*$
-          1
-        
-        
-          
-          ^\s*Defaults\s+!targetpw\s*$
-          1
-        
-        
-          /etc/sudoers
-          ^\s*Defaults\s+!rootpw\s*$
-          1
-        
-        
-          
-          ^\s*Defaults\s+!rootpw\s*$
-          1
-        
-        
-          /etc/sudoers
-          ^\s*Defaults\s+!runaspw\s*$
-          1
-        
-        
-          
-          ^\s*Defaults\s+!runaspw\s*$
-          1
-        
-        
-          
-          /etc/sudoers
-          ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$
-          1
-        
-        
-          
-          /etc/sudoers.d
-          ^.*$
-          ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:23764300
-            oval:mil.disa.stig.ind:obj:23764301
-          
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/sudoedit\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/var/log/tallylog(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
-          1
-        
-        
-          /etc/dconf/db/local.d
-          .*
-          ^\s*banner-message-enable\s*=\s*(\w+)$
-          1
-        
-        
-          /usr/lib/systemd/system/emergency.service
-          ^ExecStart=(.*)$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*(?i)GSSAPIAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config
-          ^\s*(?i)GSSAPIAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/boot/efi\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          ^.*$
-          ^\s*\/org\/gnome\/desktop\/session\/idle-delay$
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          .*
-          ^/org/gnome/desktop/screensaver/lock-enabled$
-          1
-        
-        
-          /etc/pam.d/system-auth
-          \bnullok\b
-          1
-        
-        
-          /etc/pam.d/password-auth
-          \bnullok\b
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*space_left_action\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:24455402
-            oval:mil.disa.stig.ind:obj:24455403
-          
-        
-        
-          
-          \.conf$
-          ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/sysctl.conf
-          ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/shadow
-          ^[^:]+::[^:]*:[^:]*:
-          1
-        
-        
-          
-          /etc/pam.d/system-auth
-          ^\s*password\s+(?:required|requisite)\s+(.*)$
-          1
-        
-        
-          /etc/pam.d/system-auth
-          ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$)
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          
-          1
-        
-        
-          /etc/grub2.cfg
-          ^\s*set\s+superusers\s*=\s*"(\S+)"\s*$
-          1
-        
-        
-          /boot/grub2/user.cfg
-          ^\s*GRUB2_PASSWORD=(\S+)\b
-          1
-        
-        
-          /boot/loader/entries
-          ^.*\.conf$
-          ^options\s+(.*)$
-          1
-        
-        
-          /etc/default/grub
-          ^GRUB_CMDLINE_LINUX="(.*)"
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*install[ \t]+atm[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*blacklist[ \t]+atm[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*install[ \t]+firewire-core[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*blacklist[ \t]+firewire-core[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*install[ \t]+sctp[ \t]+/bin/false[ \t]*$
-          1
-        
-        
-          /etc/modprobe.conf
-          ^[ \t]*blacklist[ \t]+sctp[ \t]*$
-          1
-        
-        
-          /etc/dnf/dnf.conf
-          ^gpgcheck=(.*)$
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s][^\s]*\s+[^\s]+\s+nfs[^\s]*\s+([^\s]+)
-          1
-        
-        
-          /etc/fstab
-          ^\s*[^#\s]+\s+/var\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
-          1
-        
-        
-          /etc/NetworkManager/NetworkManager.conf
-          ^dns=(\S*)\s*$
-          1
-        
-        
-          /etc/NetworkManager/NetworkManager.conf
-          ^\[main\]((?:\r?\n(?:[^[\r\n].*)?)*)
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)banner(?-i)[ \t\"]+([\w\/]+)[\"\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)banner(?-i)[ \t\"]+([\w\/]+)[\"\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25798100
-            oval:mil.disa.stig.ind:obj:25798101
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)banner(?-i)[ \t]*(?:none[\s]*|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)banner(?-i)[ \t]*(?:none[\s]*|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25798103
-            oval:mil.disa.stig.ind:obj:25798104
-          
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*(?i)PubkeyAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config
-          ^\s*(?i)PubkeyAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25798401
-            oval:mil.disa.stig.ind:obj:25798402
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^(?i)\s*PermitEmptyPasswords\s+(\w+)$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^(?i)\s*PermitEmptyPasswords\s+(\w+)$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25798601
-            oval:mil.disa.stig.ind:obj:25798602
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*UsePAM\s+(\w*)
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*UsePAM\s+(\w*)
-          1
-        
-        
-          
-          /etc/ssh/sshd_config
-          ^\s*include\s+(.*)\s*$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*include\s+(.*)\s*$
-          1
-        
-        
-          /etc/crypto-policies/back-ends/opensshserver.config
-          ^\s*(?i)Ciphers(?-i)[ \t]+(\S+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/crypto-policies/back-ends/opensshserver.config
-          ^\s*MACs\s+(\S+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25799201
-            oval:mil.disa.stig.ind:obj:25799202
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^(?i)\s*HostbasedAuthentication\s+(\w+)$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^(?i)\s*HostbasedAuthentication\s+(\w+)$
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)ClientAliveInterval(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)ClientAliveInterval(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25799600
-            oval:mil.disa.stig.ind:obj:25799601
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)Compression(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)Compression(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25800200
-            oval:mil.disa.stig.ind:obj:25800201
-          
-        
-        
-          /etc/ssh/sshd_config.d
-          ^.*\.conf$
-          ^\s*(?i)KerberosAuthentication(?-i)\s+("?\w+"?)\s*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25800402
-            oval:mil.disa.stig.ind:obj:25800400
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)KerberosAuthentication(?-i)\s+("?\w+"?)\s*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25800501
-            oval:mil.disa.stig.ind:obj:25800502
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)IgnoreRhosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          ^.*$
-          ^\s*(?i)IgnoreRhosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)IgnoreUserKnownHosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*(?i)IgnoreUserKnownHosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          
-          .*
-          ^/org/gnome/login-screen/banner-message-enable$
-          1
-        
-        
-          /etc/dconf/db/local.d
-          00-security-settings
-          ^\s*\[org\/gnome\/desktop\/media-handling]\s*\n+[^\[]*automount-open\s*=\s*(\w+)$
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          .*
-          ^/org/gnome/desktop/media-handling/automount-open$
-          1
-        
-        
-          /etc/dconf/profile/user
-          ^\s*system-db\s*:\s*local\s*$
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          ^.*$
-          ^\s*\/org\/gnome\/desktop\/media-handling\/autorun-never$
-          1
-        
-        
-          
-          .*
-          ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$
-          1
-        
-        
-          /etc/dconf/profile/user
-          ^system-db:(\S+)\s*$
-          1
-        
-        
-          
-          .*
-          ^/org/gnome/desktop/screensaver/lock-delay$
-          1
-        
-        
-          
-          .*
-          ^\[org/gnome/login-screen](?:\r?\n(?:[^[\r\n].*)?)*
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          ^.*$
-          ^\s*\/org\/gnome\/login-screen\/disable-restart-buttons$
-          1
-        
-        
-          /etc/dconf/db/local.d/locks
-          .*
-          ^/org/gnome/settings-daemon/plugins/media-keys/logout$
-          1
-        
-        
-          /etc/login.defs
-          ^\s*PASS_MAX_DAYS\s+(\d+)
-          1
-        
-        
-          oval:mil.disa.stig.defs:var:25804500
-        
-        
-          /etc/group
-          ^[^:#]*:[^:]*:(\d+)
-          1
-        
-        
-          /etc/group
-          ^[^:]*:[^:]*:([^:]+):
-          1
-        
-        
-          oval:mil.disa.stig.defs:var:25806100
-        
-        
-          /etc/bashrc
-          ^[^#]*\s*(?i)umask\s*(\d+)\s*$
-          1
-        
-        
-          /etc/profile
-          ^(?i)\s*umask\s+([^#\s]+)
-          1
-        
-        
-          /etc/security/faillock.conf
-          ^\s*dir\s*=\s*(.*)\s*$
-          1
-        
-        
-          
-          /etc/sudoers
-          ^(?!#).*\s+!\s*authenticate.*$
-          1
-        
-        
-          
-          /etc/sudoers.d
-          ^.*$
-          ^(?!#).*\s+!\s*authenticate.*$
-          1
-        
-        
-          
-          /etc/sudoers
-          ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$
-          1
-        
-        
-          
-          /etc/sudoers.d
-          ^.*$
-          ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$
-          1
-        
-        
-          /etc/pam.d/su
-          ^\s*auth\s+(?:required|requisite)\s+pam_wheel\.so(?:\s|$)
-          1
-        
-        
-          /etc/pam.d/password-auth
-          ^\s*password\s+sufficient\s+pam_unix\.so\s+[^#\n]*\brounds=(\d+)\b
-          1
-        
-        
-          /etc/pam.d/system-auth
-          ^\s*password\s+sufficient\s+pam_unix\.so\s+[^#\n]*\brounds=(\d+)\b
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25810101
-            oval:mil.disa.stig.ind:obj:25810102
-          
-        
-        
-          /etc/security/pwquality.conf
-          ^\s*enforce_for_root\s*(?:#.*)?$
-          1
-        
-        
-          
-          /etc/security/pwquality.conf.d
-          \.conf$
-          ^\s*enforce_for_root\s*(?:#.*)?$
-          1
-        
-        
-          /etc/pam.d/sudo
-          ^\s*[^#\n]*\bpam_succeed_if\b
-          1
-        
-        
-          /etc/opensc.conf
-          (?i)^\s*card_drivers\s*=(.*);
-          1
-        
-        
-          /etc/sssd/sssd.conf
-          ^\s*pam_cert_auth\s*=\s*(.*)\s*$
-          1
-        
-        
-          
-          /etc/sssd/conf.d
-          .+
-          ^\s*pam_cert_auth\s*=\s*(.*)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25812200
-            oval:mil.disa.stig.ind:obj:25812201
-          
-        
-        
-          /etc/sssd/sssd.conf
-          ^\s*certificate_verification\s*=\s*(.*)\s*$
-          1
-        
-        
-          /etc/sssd/conf.d
-          ^[^.].*\.conf$
-          ^\s*certificate_verification\s*=\s*(.*)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25812300
-            oval:mil.disa.stig.ind:obj:25812301
-          
-        
-        
-          /usr/lib/systemd/system
-          rescue.service
-          ^\s*ExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell\srescue$
-          1
-        
-        
-          /etc/systemd/system/rescue.service.d
-          ^.+\.conf$
-          ^\s*ExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell\srescue$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814403
-            oval:mil.disa.stig.ind:obj:25814406
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814404
-            oval:mil.disa.stig.ind:obj:25814407
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814405
-            oval:mil.disa.stig.ind:obj:25814408
-          
-        
-        
-          /etc/rsyslog.conf
-          ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/rsyslog.conf
-          ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/rsyslog.conf
-          ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$
-          1
-        
-        
-          /etc/audit/plugins.d/syslog.conf
-          ^\s*active\s*=\s*(\w+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814601
-            oval:mil.disa.stig.ind:obj:25814602
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          ^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814801
-            oval:mil.disa.stig.ind:obj:25814802
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          ^\$DefaultNetstreamDriver\s+(\S+)\s*$
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^\$DefaultNetstreamDriver\s+(\S+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:25814901
-            oval:mil.disa.stig.ind:obj:25814902
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          ^\*\.\*\s+@@(\S+)
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          ^\*\.\*\s+@@(\S+)
-          1
-        
-        
-          oval:mil.disa.stig.defs:var:25815500
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*admin_space_left\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*admin_space_left_action\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*max_log_file_action\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*freq\s*=\s*(\S+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/auditd.conf
-          (?i)^\s*write_logs\s*=\s*(\w+)\s*(?:#.*)?$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/init\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/poweroff\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/reboot\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/shutdown\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+umount\s+|(\s+|,)umount(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+umount2\s+|(\s+|,)umount2(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+umount2\s+|(\s+|,)umount2(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/var/log/faillock(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^[ \t]*-f[ \t]+2\s*$
-          1
-        
-        
-          /proc/sys/crypto/fips_enabled
-          ^(\d+)$
-          1
-        
-        
-          /etc/ipsec.conf
-          ^\s*include\s+(.*)\s*$
-          1
-        
-        
-          /etc/ipsec.d
-          ^.*\.conf$
-          ^\s*include\s+(.*)\s*$
-          1
-        
-        
-          /etc/named.conf
-          ^\s*include\s+"(.*)"\s*;\s*$
-          1
-        
-        
-          /etc/crypto-policies/back-ends/openssh.config
-          ^\s*(?i)Ciphers(?-i)[ \t]+(\S+)[\s]*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/crypto-policies/back-ends/openssh.config
-          ^\s*MACs\s+(\S+)\s*$
-          1
-        
-        
-          /etc
-          oracle-release
-          ^\s*Oracle Linux Server release 9\.(\d+)\b
-          1
-        
-        
-          /etc/ssh/sshd_config
-          ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$
-          1
-        
-        
-          /etc/ssh/sshd_config.d
-          .+
-          ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:27170900
-            oval:mil.disa.stig.ind:obj:27170901
-          
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:27172001
-            oval:mil.disa.stig.ind:obj:27172002
-          
-        
-        
-          /etc/ssh/sshd_config
-          ^(?i)\s*PermitUserEnvironment\s+(\w+)$
-          1
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          ^.+\.conf$
-          ^(?i)\s*PermitUserEnvironment\s+(\w+)$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:27175001
-            oval:mil.disa.stig.ind:obj:27175002
-          
-        
-        
-          /etc/profile
-          ^[^#]*\s*TMOUT=(\d+)\s*$
-          1
-        
-        
-          
-          /etc/profile.d
-          ^.+\.sh$
-          ^[^#]*\s*TMOUT=(\d+)\s*$
-          1
-        
-        
-          
-            oval:mil.disa.stig.ind:obj:27185701
-            oval:mil.disa.stig.ind:obj:27185702
-          
-        
-        
-          
-          /etc/rsyslog.conf
-          
-          1
-        
-        
-          
-          /etc/rsyslog.d
-          ^.*\.conf$
-          
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/etc/cron\.d(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          /etc/audit/audit.rules
-          ^\s*-w\s+/var/spool/cron(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
-          1
-        
-        
-          gnome-shell
-        
-        
-          gnome-shell
-        
-        
-          /sys/fs/selinux
-        
-        
-          policycoreutils
-        
-        
-          openssl-pkcs11
-        
-        
-          rngd.service
-          ActiveState
-        
-        
-          /var
-        
-        
-          /var/log
-        
-        
-          
-        
-        
-          /tmp
-        
-        
-          /boot
-        
-        
-          ^/\S+$
-          oval:mil.disa.stig.linux:ste:23030102
-        
-        
-          kdump.service
-          LoadState
-        
-        
-          kdump.service
-          UnitFileState
-        
-        
-          kdump.service
-          ActiveState
-        
-        
-          systemd-coredump.socket
-          LoadState
-        
-        
-          systemd-coredump.socket
-          UnitFileState
-        
-        
-          .*\/home
-        
-        
-          audit
-        
-        
-          rsyslog
-        
-        
-          rsyslog-gnutls
-        
-        
-          telnet-server
-        
-        
-          sendmail
-        
-        
-          autofs.service
-          ActiveState
-        
-        
-          firewalld
-        
-        
-          /dev/shm
-        
-        
-          /dev/shm
-        
-        
-          /tmp
-        
-        
-          /tmp
-        
-        
-          /var/log
-        
-        
-          /var/log
-        
-        
-          /var/log
-        
-        
-          /var/log/audit
-        
-        
-          /var/log/audit
-        
-        
-          /var/tmp
-        
-        
-          /var/tmp
-        
-        
-          /var/tmp
-        
-        
-          tftp-server
-        
-        
-          postfix
-        
-        
-          xorg-x11-server-common
-        
-        
-          gssproxy
-        
-        
-          iprutils
-        
-        
-          tuned
-        
-        
-          rng-tools
-        
-        
-          /var/tmp
-        
-        
-          /boot/efi
-        
-        
-          fapolicyd.service
-          ActiveState
-        
-        
-          openssh-server
-        
-        
-          systemd-journald.service
-          ActiveState
-        
-        
-          ftp
-        
-        
-          nfs-utils
-        
-        
-          quagga
-        
-        
-          gnutls-utils
-        
-        
-          nss-tools
-        
-        
-          s-nail
-        
-        
-          autofs
-        
-        
-          .*\/home
-        
-        
-          /boot
-        
-        
-          firewalld.service
-          ActiveState
-        
-        
-          chrony
-        
-        
-          chronyd.service
-          ActiveState
-        
-        
-          libreswan
-        
-        
-          sshd.service
-          ActiveState
-        
-        
-          openssh-clients
-        
-        
-          usbguard
-        
-        
-          usbguard.service
-          ActiveState
-        
-        
-          
-          
-        
-        
-          policycoreutils-python-utils
-        
-        
-          sudo
-        
-        
-          fapolicyd
-        
-        
-          pcsc-lite
-        
-        
-          pcscd.socket
-          ActiveState
-        
-        
-          opensc
-        
-        
-          rsyslog.service
-          ActiveState
-        
-        
-          auditd.service
-          ActiveState
-        
-        
-          auditd.service
-          SubState
-        
-        
-          audispd-plugins
-        
-        
-          crypto-policies
-        
-        
-          bind
-        
-        
-          sssd
-        
-        
-          sssd.service
-          ActiveState
-        
-        
-          sssd.service
-          UnitFileState
-        
-        
-          oracle-linux-manager-client.*
-        
-        
-          aide
-        
-        
-          libreswan
-        
-        
-          /sys/firmware/efi
-          
-        
-        
-          net.ipv6.conf.all.disable_ipv6
-        
-        
-          
-        
-        
-          /etc/passwd
-        
-        
-          /etc/group-
-        
-        
-          [\w]+
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000017
-          
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000018
-          
-        
-        
-          net.ipv4.conf.default.rp_filter
-        
-        
-          /var/log/messages
-        
-        
-          /var/log/messages
-        
-        
-          /var/log/messages
-        
-        
-          /var/log
-          
-        
-        
-          /var/log
-          
-        
-        
-          /var/log
-          
-        
-        
-          
-          
-          \.so(\.\d+)*$
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:20000005
-        
-        
-          
-          
-          \.so(\.\d+)*$
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:20000006
-        
-        
-          kernel.kexec_load_disabled
-        
-        
-          fs.protected_symlinks
-        
-        
-          fs.protected_hardlinks
-        
-        
-          kernel.dmesg_restrict
-        
-        
-          kernel.perf_event_paranoid
-        
-        
-          kernel.randomize_va_space
-        
-        
-          
-          /
-          shosts.equiv
-        
-        
-          
-          /
-          .shosts
-        
-        
-          
-          /etc/ssh
-          ^.*\.pub$
-        
-        
-          /etc/ssh
-          ^ssh_host_.*_key$
-        
-        
-          kernel.core_pattern
-        
-        
-          
-          
-          ^\.[^\s\.]+
-        
-        
-          
-          
-          ^\.[^\s\.]+
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000017
-            oval:mil.disa.stig.unix:ste:23032500
-          
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000018
-            oval:mil.disa.stig.unix:ste:23032500
-          
-        
-        
-          
-          /etc/dconf/db
-          
-          oval:mil.disa.stig.unix:ste:23035100
-        
-        
-          
-          oval:mil.disa.stig.unix:ste:23036400
-          oval:mil.disa.stig.unix:ste:23036401
-        
-        
-          .+
-          oval:mil.disa.stig.unix:ste:23036702
-        
-        
-          .*
-          oval:mil.disa.stig.unix:ste:23036704
-          oval:mil.disa.stig.unix:ste:23036703
-        
-        
-          root
-        
-        
-          
-        
-        
-          
-          
-        
-        
-          /etc/audit/auditd.conf
-        
-        
-          /etc/audit/rules.d
-          .rules$
-        
-        
-          
-        
-        
-          /etc/systemd/system/ctrl-alt-del.target
-        
-        
-          /etc/systemd/system/debug-shell.service
-        
-        
-          root
-        
-        
-          net.ipv6.conf.default.accept_redirects
-        
-        
-          net.ipv4.conf.all.send_redirects
-        
-        
-          net.ipv4.icmp_echo_ignore_broadcasts
-        
-        
-          net.ipv6.conf.all.accept_source_route
-        
-        
-          net.ipv6.conf.default.accept_source_route
-        
-        
-          net.ipv6.conf.all.forwarding
-        
-        
-          net.ipv4.conf.default.send_redirects
-        
-        
-          net.ipv6.conf.all.accept_redirects
-        
-        
-          kernel.unprivileged_bpf_disabled
-        
-        
-          kernel.yama.ptrace_scope
-        
-        
-          kernel.kptr_restrict
-        
-        
-          user.max_user_namespaces
-        
-        
-          net.ipv4.conf.all.rp_filter
-        
-        
-          .*
-        
-        
-          /etc/sudoers.d
-          ^[^.]*[^.~]$
-        
-        
-          net.ipv4.tcp_syncookies
-        
-        
-          net.ipv4.conf.default.accept_redirects
-        
-        
-          net.ipv4.conf.default.accept_source_route
-        
-        
-          net.ipv4.conf.all.accept_redirects
-        
-        
-          net.core.bpf_jit_harden
-        
-        
-          /etc/systemd/system/default.target
-        
-        
-          net.ipv6.conf.default.accept_ra
-        
-        
-          /boot/grub2/grub.cfg
-        
-        
-          /boot/grub2/grub.cfg
-        
-        
-          .*
-          oval:mil.disa.stig.unix:ste:25789000
-          oval:mil.disa.stig.unix:ste:25789002
-          oval:mil.disa.stig.unix:ste:25789003
-        
-        
-          
-          
-        
-        
-          /etc/group
-        
-        
-          /etc/group-
-        
-        
-          /etc/gshadow
-        
-        
-          /etc/gshadow-
-        
-        
-          /etc/passwd-
-        
-        
-          /etc/shadow-
-        
-        
-          /etc/group
-        
-        
-          /etc/group
-        
-        
-          /etc/group-
-        
-        
-          /etc/gshadow
-        
-        
-          /etc/gshadow
-        
-        
-          /etc
-          gshadow-
-        
-        
-          /etc/gshadow-
-        
-        
-          /etc/passwd-
-        
-        
-          /etc
-          shadow
-        
-        
-          /etc/shadow
-        
-        
-          /etc
-          shadow-
-        
-        
-          /etc
-          ^cron.*$
-        
-        
-          ^/etc/cron.*$
-          
-        
-        
-          
-          /etc
-          ^cron.*
-        
-        
-          /etc/crontab
-        
-        
-          net.ipv4.conf.all.accept_source_route
-        
-        
-          net.ipv4.conf.all.log_martians
-        
-        
-          net.ipv4.conf.default.log_martians
-        
-        
-          net.ipv4.icmp_ignore_bogus_error_responses
-        
-        
-          net.ipv4.conf.all.forwarding
-        
-        
-          net.ipv6.conf.all.accept_ra
-        
-        
-          /etc/ssh/sshd_config.d/50-redhat.conf
-        
-        
-          /etc/ssh/sshd_config
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          
-        
-        
-          
-          /etc/ssh/sshd_config.d
-          .*
-        
-        
-          .*
-          oval:mil.disa.stig.unix:ste:25804500
-        
-        
-          .+
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:25804600
-            oval:mil.disa.stig.unix:ste:25804601
-            oval:mil.disa.stig.unix:ste:25804602
-          
-        
-        
-          .*
-        
-        
-          /etc/audit/auditd.conf
-        
-        
-          /etc/crypto-policies/back-ends/krb5.config
-        
-        
-          
-          
-          \.so
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:26048700
-        
-        
-          
-          
-          \.so
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:26048701
-        
-        
-          
-          
-          \.so
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:26048702
-        
-        
-          
-          
-          \.so
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:26048703
-        
-        
-          
-          
-          \.so
-          oval:mil.disa.stig.unix:ste:20000015
-          oval:mil.disa.stig.unix:ste:26048704
-        
-        
-          
-          
-          ^\.[^\s\.]+
-        
-        
-          
-          
-          ^\.[^\s\.]+
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000017
-            oval:mil.disa.stig.unix:ste:27176500
-          
-        
-        
-          
-            oval:mil.disa.stig.unix:obj:20000016
-            oval:mil.disa.stig.unix:ste:20000018
-            oval:mil.disa.stig.unix:ste:27176500
-          
-        
-        
-          
-          
-          .*
-          oval:mil.disa.stig.unix:ste:20000023
-        
-        
-          
-          
-          .*
-          oval:mil.disa.stig.unix:ste:20000005
-        
-        
-          
-          
-          .*
-          oval:mil.disa.stig.unix:ste:20000024
-          oval:mil.disa.stig.unix:ste:20000002
-        
-        
-          
-          
-          .*
-          oval:mil.disa.stig.unix:ste:20000025
-          oval:mil.disa.stig.unix:ste:20000002
-        
-        
-          
-          
-          
-          oval:mil.disa.stig.unix:ste:20000021
-          oval:mil.disa.stig.unix:ste:20000006
-        
-        
-          
-          
-          
-          oval:mil.disa.stig.unix:ste:20000021
-          oval:mil.disa.stig.unix:ste:20000005
-        
-        
-          
-          
-          
-          oval:mil.disa.stig.unix:ste:20000021
-          oval:mil.disa.stig.unix:ste:20000024
-        
-        
-          
-          
-          
-          oval:mil.disa.stig.unix:ste:20000021
-          oval:mil.disa.stig.unix:ste:20000025
-        
-        
-          /var/lib/aide/aide.db.gz
-        
-      
-      
-        
-          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
-        
-        
-          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
-        
-        
-          false
-        
-        
-          true
-        
-        
-          0
-        
-        
-          1
-        
-        
-          2
-        
-        
-          none
-        
-        
-          0
-        
-        
-          ^(yes|"yes")$
-        
-        
-          ^(no|"no")$
-        
-        
-          ^[123]$
-        
-        
-          0
-        
-        
-          0
-        
-        
-          ^(True|1|yes)$
-        
-        
-          (?i)^yes$
-        
-        
-          yes
-        
-        
-          0
-        
-        
-          077
-        
-        
-          (?i)(?:^|\n)[^#]*\btype\s*=\s*"omfwd"
-        
-        
-          \n\s*crypt_style\s*=\s*(\S*)\s*(\n|$)
-        
-        
-          sha512
-        
-        
-          SHA512
-        
-        
-          ^[!*]
-        
-        
-          ^[$][6][$]
-        
-        
-          100000
-        
-        
-          0
-        
-        
-          enforcing
-        
-        
-          \n\s*gpgcheck\s*=\s*(True|1|yes)\s*(\n|$)
-        
-        
-          \n\s*gpgcheck\s*=\s*(False|0|no)\s*(\n|$)
-        
-        
-          1
-        
-        
-          (^|\s)vsyscall=none(\s|$)
-        
-        
-          targeted
-        
-        
-          (?:^nodev$|^nodev,|,nodev$|,nodev,)
-        
-        
-          ^.*noexec.*$
-        
-        
-          (^|,)nosuid(,|$)
-        
-        
-          |/bin/false
-        
-        
-          0
-        
-        
-          0
-        
-        
-          (^|\s)dns(\s|$)
-        
-        
-          2
-        
-        
-          3
-        
-        
-          900
-        
-        
-          /var/log/faillock
-        
-        
-          10
-        
-        
-          \nremoval-action='lock-screen'\s*(\n|$)
-        
-        
-          4
-        
-        
-          3
-        
-        
-          4
-        
-        
-          8
-        
-        
-          1
-        
-        
-          15
-        
-        
-          35
-        
-        
-          4
-        
-        
-          077
-        
-        
-          077
-        
-        
-          (?i)^root$
-        
-        
-          (?i)^syslog$
-        
-        
-          (?i)^single$
-        
-        
-          (?i)^halt$
-        
-        
-          (?i)^syslog$
-        
-        
-          (?i)^single$
-        
-        
-          (?i)^halt$
-        
-        
-          (?i)^hostname$
-        
-        
-          (?i)^fqd$
-        
-        
-          (?i)^numeric$
-        
-        
-          (?i)^enriched$
-        
-        
-          (^|\s)audit=1(\s|$)
-        
-        
-          8192
-        
-        
-          LinuxAudit
-        
-        
-          25
-        
-        
-          100
-        
-        
-          (^|\s)pti=on(\s|$)
-        
-        
-          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
-        
-        
-          (?:^noexec$|^noexec,|,noexec$|,noexec,)
-        
-        
-          nodev
-        
-        
-          ^.*nosuid.*$
-        
-        
-          nodev
-        
-        
-          nosuid
-        
-        
-          noexec
-        
-        
-          nodev
-        
-        
-          ^.*noexec.*$
-        
-        
-          (?:^nodev$|^nodev,|,nodev$|,nodev,)
-        
-        
-          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
-        
-        
-          nftables
-        
-        
-          ^(?i)\s*RekeyLimit\s+[1-9][0-9]*[kmg]?\s+([1-9][0-9]*[smhdw]?)+\s*$
-        
-        
-          1
-        
-        
-          ^VERBOSE$|^"VERBOSE"$
-        
-        
-          /etc/sudoers.d
-        
-        
-          -/usr/lib/systemd/systemd-sulogin-shell emergency
-        
-        
-          (?i)^email$
-        
-        
-          ^pam_pwquality.so(\s|$)
-        
-        
-          ^(delayed|"delayed")$
-        
-        
-          ^\S+$
-        
-        
-          ^grub\.pbkdf2\.sha512\.
-        
-        
-          (^|\s)systemd\.confirm_spawn(\s|$)
-        
-        
-          (^|\s)page_poison=1(\s|$)
-        
-        
-          1
-        
-        
-          (^|,)sec=[^,]+(,|$)
-        
-        
-          (^|,)sec=([^:,]*:)?krb5[pi]?(:|,|$)
-        
-        
-          (^|,)sec=([^:,]*:)?sys(:|,|$)
-        
-        
-          (^|,)nodev(,|$)
-        
-        
-          \ndns=
-        
-        
-          none
-        
-        
-          default
-        
-        
-          systemd-resolved
-        
-        
-          ^\/.+$
-        
-        
-          /etc/crypto-policies/back-ends/opensshserver.config
-        
-        
-          /etc/ssh/sshd_config.d/*.conf
-        
-        
-          aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
-        
-        
-          "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr"
-        
-        
-          hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
-        
-        
-          "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512"
-        
-        
-          600
-        
-        
-          0
-        
-        
-          \ndisable-restart-buttons=(true|'true')\s*(\n|$)
-        
-        
-          60
-        
-        
-          
-        
-        
-          
-        
-        
-          100000
-        
-        
-          (?i)\bcac\b
-        
-        
-          true
-        
-        
-          (?i)(^|,)ocsp_dgst=sha512(,|$)
-        
-        
-          x509/name
-        
-        
-          gtls
-        
-        
-          ^.+$
-        
-        
-          (?i)(?:^|\n)[^#]*\bprotocol\s*=\s*"tcp"
-        
-        
-          10737418240
-        
-        
-          5%
-        
-        
-          ROTATE
-        
-        
-          SINGLE
-        
-        
-          1
-        
-        
-          100
-        
-        
-          /etc/crypto-policies/back-ends/libreswan.config
-        
-        
-          /etc/ipsec.d/*.conf
-        
-        
-          /etc/crypto-policies/back-ends/bind.config
-        
-        
-          (^|\s)slub_debug=P(\s|$)
-        
-        
-          900
-        
-        
-          noexec
-        
-        
-          nodev
-        
-        
-          nosuid
-        
-        
-          active
-        
-        
-          running
-        
-        
-          masked
-        
-        
-          enabled
-        
-        
-          inactive
-        
-        
-          selinuxfs
-        
-        
-          ^/dev\S*$
-        
-        
-          nosuid
-        
-        
-          noexec
-        
-        
-          active
-        
-        
-          faillog_t
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          symbolic link
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          0
-        
-        
-          0
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          false
-          false
-          false
-          false
-          false
-        
-        
-          0
-        
-        
-          1
-        
-        
-          2
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          /dev/null
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          regular
-        
-        
-          .+
-        
-        
-          1000
-        
-        
-          0
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          directory
-        
-        
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          1000
-        
-        
-          false
-        
-        
-          false
-        
-        
-          1
-        
-        
-          |/bin/false
-        
-        
-          /
-        
-        
-          ^/etc/dconf/db/.*\.d$
-        
-        
-          1000
-        
-        
-          
-        
-        
-          0
-        
-        
-          60
-        
-        
-          
-        
-        
-          
-        
-        
-          1000
-        
-        
-          0
-        
-        
-          1
-        
-        
-          (^|\s)PROMISC(\s|$)
-        
-        
-          [\S]*\/multi\-user\.target$
-        
-        
-          ^.*nologin.*$
-        
-        
-          1000
-        
-        
-          65534
-        
-        
-          false
-          false
-          false
-          true
-          true
-          false
-          false
-          false
-          false
-          false
-          false
-          false
-        
-        
-          1000
-        
-        
-          /sbin/nologin|/usr/sbin/nologin
-        
-        
-          1000
-        
-        
-          0
-        
-        
-          
-        
-        
-          /usr/share/crypto-policies/FIPS/krb5.txt
-        
-        
-          true
-        
-        
-          true
-        
-        
-          true
-        
-        
-          true
-        
-        
-          true
-        
-        
-          /
-        
-        
-          false
-        
-        
-          0
-        
-      
-      
-        
-          
-        
-        
-          /etc/sysctl.d
-          /run/sysctl.d
-          /lib/sysctl.d
-          /usr/lib/sysctl.d
-          /usr/local/lib/sysctl.d
-        
-        
-          ^\s*-a\s+(?:always,exit|exit,always)
-        
-        
-          \s+-F\s+arch=b32
-        
-        
-          \s+-F\s+arch=b64
-        
-        
-          \s+(?:-S\s+[,\w]+\s+)*
-        
-        
-          -S\s+[,\w]*\b
-        
-        
-          \b[,\w]*
-        
-        
-          -F\s+auid>=1000\s+-F\s+auid!=(?:4294967295|-1|unset)
-        
-        
-          (?:\s+(?:-k\s+|-F\s+key=)[-\w]+)*\s*$
-        
-        
-          -F\s+auid=0
-        
-        
-          /lib
-          /lib64
-          /usr/lib
-          /usr/lib64
-        
-        
-          /bin
-          /sbin
-          /usr/bin
-          /usr/sbin
-          /usr/libexec
-          /usr/local/bin
-          /usr/local/sbin
-        
-        
-          
-        
-        
-          
-            ^[^# \t]+\s+
-            
-            \s+
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          
-            ^
-            
-            $
-          
-        
-        
-          65534
-          65535
-          4294967294
-          4294967295
-        
-        
-          
-        
-        
-          /sbin/auditctl
-          /sbin/aureport
-          /sbin/ausearch
-          /sbin/autrace
-          /sbin/auditd
-          /sbin/rsyslogd
-          /sbin/augenrules
-        
-        
-          
-            
-          
-        
-        
-          
-        
-        
-          
-            
-            
-            
-            
-            lsetxattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            lsetxattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            lsetxattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            lsetxattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            removexattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            removexattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            removexattr
-            
-            
-            
-            
-          
-        
-        
-          
-            
-            
-            
-            
-            removexattr
-            
-            
-            
-            
-          
-        
-        
-          
-        
-        
-          
-            /etc/dconf/db/
-            
-            .d/locks
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-              
-            
-          
-        
-        
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-              
-            
-          
-        
-        
-          
-        
-        
-          
-            
-            
-          
-        
-        
-          
-        
-        
-          
-        
-        
-          ^\s*\$ModLoad\s+imtcp
-          ^\s*\$ModLoad\s+imudp
-          ^\s*\$ModLoad\s+imrelp
-          ^\s*\$InputTCPServerRun
-          ^\s*\$UDPServerRun
-          ^\s*\$InputRELPServerRun
-        
-        
-          /etc/sysctl.d
-          /run/sysctl.d
-          /lib/sysctl.d
-          /usr/lib/sysctl.d
-          /usr/local/lib/sysctl.d
-        
-        
-          
-            
-              
-            
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-      
-    
-  
-  
-    
-      
-        Security Content Tool 1.6.0
-        5.11
-        2025-10-14T01:53:59
-      
-      
-        
-          
-            Oracle Linux 9 is installed.
-            
-              Oracle Linux 9
-            
-            
-            Oracle Linux 9 is installed.
-          
-          
-            
-          
-        
-      
-      
-        
-          
-          
-        
-      
-      
-        
-          oraclelinux-release
-        
-      
-      
-        
-          ^9\.\d+$
-        
-      
-    
-  
-
+
+
+  
+    
+      
+        
+          
+        
+      
+    
+    
+      
+        
+          
+        
+      
+    
+    
+      
+      
+    
+  
+  
+    
+      
+        Oracle Linux 9
+        oval:mil.disa.stig.ol9os:def:1
+      
+    
+  
+  
+    
+      accepted
+      Oracle Linux 9 STIG SCAP Benchmark
+      This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
+      
+      
+      
+      
+        DISA
+        STIG.DOD.MIL
+      
+      Benchmark Date: 05 Jan 2026
+      3.5.2
+      1.10.0
+      
+        
+          Linux with BIND installed
+          
+            
+          
+        
+        
+          Gnome-shell Package
+          
+            
+          
+        
+        
+          Linux with no NFS mounts configured
+          
+            
+          
+        
+        
+          Linux with NFS mounts configured
+          
+            
+          
+        
+        
+          Linux with Libreswan installed
+          
+            
+          
+        
+        
+          Linux IPv6 Enabled
+          
+            
+          
+        
+        
+          Linux UEFI system with boot partition file type other than VFAT
+          
+            
+          
+        
+        
+          Kernel dumps are enabled
+          
+            
+          
+        
+        
+          Linux with postfix installed
+          
+            
+          
+        
+        
+          Linux with autofs installed
+          
+            
+          
+        
+      
+      
+      001.002
+      
+        DISA
+        DISA
+        DISA
+        STIG.DOD.MIL
+      
+      
+        I - Mission Critical Classified
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        I - Mission Critical Public
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        I - Mission Critical Sensitive
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        II - Mission Support Classified
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        II - Mission Support Public
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        II - Mission Support Sensitive
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        III - Administrative Classified
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        III - Administrative Public
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        III - Administrative Sensitive
+        <ProfileDescription></ProfileDescription>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        Disable Slow Rules
+        This profile disables rules known to have poor performance in some environments, such as systems with large numbers of user accounts.
+        
+        
+      
+      
+        CAT I Only
+        This profile only includes rules that are Severity Category I.
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+        
+      
+      
+        SRG-OS-000341-GPOS-00132
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000002
+          OL 9 must use a separate file system for the system audit data path.
+          <VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001849
+          Migrate the system audit data path onto a separate file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000003
+          OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
+          <VulnDiscussion>Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Migrate the "/home" directory onto a separate file system/partition.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000004
+          OL 9 must use a separate file system for /tmp.
+          <VulnDiscussion>The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Migrate the "/tmp" path onto a separate file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000005
+          OL 9 must use a separate file system for /var.
+          <VulnDiscussion>Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Migrate the "/var" path onto a separate file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000006
+          OL 9 must use a separate file system for /var/log.
+          <VulnDiscussion>Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Migrate the "/var/log" path onto a separate file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000007
+          OL 9 must use a separate file system for /var/tmp.
+          <VulnDiscussion>The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Migrate the "/var/tmp" path onto a separate file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000439-GPOS-00195
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000010
+          OL 9 must be a vendor supported release.
+          <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
+
+End Of Life dates for Oracle Linux 9 releases are as follows:
+Current end of Premier Support for Oracle Linux 9 is June 2032.
+Current end of Extended Support for Oracle Linux 9 is June 2035. 
+
+Each minor version reaches end of life when the new version is released.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002605
+          Upgrade OL 9 to a supported version.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000020
+          OL 9 must be configured so that the graphical display manager is not the default target unless approved.
+          <VulnDiscussion>Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to boot to the command line.
+
+Set the default target to multi-user with the following command:
+$ sudo systemctl set-default multi-user.target
+
+If there is an operational requirement for a graphical user interface, document it with the ISSO.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000080-GPOS-00048
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000025
+          OL 9 must require authentication to access emergency mode.
+          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000213
+          Configure OL 9 to require authentication for emergency mode.
+
+Add or modify the following line in the "/usr/lib/systemd/system/emergency.service" file:
+
+ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000080-GPOS-00048
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000030
+          OL 9 must require authentication to access single-user mode.
+          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000213
+          Configure OL 9 to require authentication for single-user mode.
+
+Add or modify the following line in the "/usr/lib/systemd/system/rescue.service" file:
+
+ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000040
+          OL 9 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module.
+          <VulnDiscussion>Disabling ATM protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the atm kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/atm.conf (or create atm.conf if it does not exist):
+
+install atm /bin/false
+blacklist atm
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000041
+          OL 9 must be configured to disable the Controller Area Network (CAN) kernel module.
+          <VulnDiscussion>Disabling CAN protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the can kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/can.conf (or create atm.conf if it does not exist):
+
+install can /bin/false
+blacklist can
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000042
+          OL 9 must be configured to disable the FireWire kernel module.
+          <VulnDiscussion>Disabling firewire protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the firewire-core kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/firewire-core.conf (or create firewire-core.conf if it does not exist):
+
+install firewire-core /bin/true
+blacklist firewire-core
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000043
+          OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Failing to disconnect unused protocols can result in a system compromise.
+
+The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the sctp kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/sctp.conf (or create sctp.conf if it does not exist):
+
+install sctp /bin/false
+blacklist sctp
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000044
+          OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Failing to disconnect unused protocols can result in a system compromise.
+
+The TIPC is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free, and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the tipc kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):
+
+install tipc /bin/false
+blacklist tipc
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000045
+          OL 9 must disable mounting of cramfs.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Removing support for unneeded filesystem types reduces the local attack surface of the server.
+
+Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Configure OL 9 to prevent the cramfs kernel module from being loaded. 
+
+Add the following line to the file /etc/modprobe.d/cramfs.conf (or create blacklist.conf if it does not exist):
+
+install cramfs /bin/false
+blacklist cramfs
+
+Reboot the system for the settings to take effect.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000046
+          OL 9 Bluetooth must be disabled.
+          <VulnDiscussion>This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
+
+Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          CCI-001443
+          Configure OL 9 to disable the Bluetooth adapter when not in use.
+
+Create or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:
+
+install bluetooth /bin/false
+blacklist bluetooth
+
+Reboot the system for the settings to take effect.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000114-GPOS-00059
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000047
+          OL 9 must be configured to disable USB mass storage.
+          <VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000778
+          CCI-001958
+          Configure OL 9 to prevent the usb-storage kernel module from being loaded.
+
+Add the following line to the file /etc/modprobe.d/usb-storage.conf (or create usb-storage.conf if it does not exist):
+
+install usb-storage /bin/false
+blacklist usb-storage
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000445-GPOS-00199
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000060
+          OL 9 must use a Linux Security Module configured to enforce limits on system services.
+          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
+
+Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002696
+          CCI-001084
+          Configure OL 9 to verify correct operation of security functions.
+
+Edit the file "/etc/selinux/config" and add or modify the following line:
+
+ SELINUX=enforcing 
+
+A reboot is required for the changes to take effect.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000445-GPOS-00199
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000065
+          OL 9 must enable the SELinux targeted policy.
+          <VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
+
+Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002696
+          Configure OL 9 to use the targetd SELINUX policy.
+
+Edit the file "/etc/selinux/config" and add or modify the following line:
+
+ SELINUXTYPE=targeted 
+
+A reboot is required for the changes to take effect.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000033-GPOS-00014
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000070
+          OL 9 must enable FIPS mode.
+          <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
+
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000068
+          CCI-000877
+          CCI-002450
+          CCI-002418
+          Configure OL 9 to implement FIPS mode with the following command:
+
+$ sudo fips-mode-setup --enable
+
+Reboot the system for the changes to take effect.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000100
+          OL 9 must not have the nfs-utils package installed.
+          <VulnDiscussion>"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Remove the nfs-utils package with the following command:
+
+$ sudo dnf remove nfs-utils
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000110
+          OL 9 must not have the telnet-server package installed.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
+
+The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
+
+Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Remove the telnet-server package with the following command:
+
+$ sudo dnf remove telnet-server
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000115
+          OL 9 must not have the gssproxy package installed.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000381
+          Remove the gssproxy package with the following command:
+
+$ sudo dnf remove gssproxy
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000120
+          OL 9 must not have the iprutils package installed.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Remove the iprutils package with the following command:
+
+$ sudo dnf remove iprutils
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000125
+          OL 9 must not have the tuned package installed.
+          <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Remove the tuned package with the following command:
+
+$ sudo dnf remove tuned
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000074-GPOS-00042
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000130
+          OL 9 must not have a File Transfer Protocol (FTP) server package installed.
+          <VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
+
+Removing the "vsftpd" package decreases the risk of accidental activation.
+
+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000197
+          CCI-000381
+          Remove the ftp package can be removed with the following command (using vsftpd as an example):
+
+$ sudo dnf remove vsftpd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000135
+          OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
+          <VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove the tftp package can be removed with the following command:
+
+$ sudo dnf remove tftp
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000140
+          OL 9 must not have the quagga package installed.
+          <VulnDiscussion>Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms.
+
+If there is no need to make the router software available, removing it provides a safeguard against its activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove the quagga package with the following command:
+
+$ sudo dnf remove quagga
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000145
+          OL 9 must not have a graphical display manager installed unless approved.
+          <VulnDiscussion>Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000382
+          Remove all xorg packages with the following command:
+
+Warning: If accessing the system through the graphical user interface, change to the multi-user.target with the following command:
+
+$ sudo systemctl isolate multi-user.target
+
+Warning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface.
+
+$ sudo dnf remove "xorg*"
+$ sudo systemctl set-default multi-user.target
+
+If there is an operational requirement for a graphical user interface it must be documented with the ISSO.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000095-GPOS-00049
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000150
+          OL 9 must not have the sendmail package installed.
+          <VulnDiscussion>The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000381
+          Remove the sendmail package with the following command:
+
+$ sudo dnf remove sendmail
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000134-GPOS-00068
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000200
+          OL 9 must have policycoreutils package installed.
+          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001084
+          Install the policycoreutils package with the following command:
+ 
+$ sudo dnf install -y policycoreutils
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000210
+          OL 9 policycoreutils-python-utils package must be installed.
+          <VulnDiscussion>The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the policycoreutils-python-utils service package (if the policycoreutils-python-utils service is not already installed) with the following command:
+
+$ sudo dnf install -y policycoreutils-python-utils
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000096-GPOS-00050
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000220
+          OL 9 must have the firewalld package installed.
+          <VulnDiscussion>Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
+
+Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+OL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000382
+          CCI-002314
+          CCI-002322
+          Install the firewalld package with the following command:
+
+$ sudo dnf install -y firewalld
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000096-GPOS-00050
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000221
+          OL 9 must be configured so that the firewalld service is active.
+          <VulnDiscussion>Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
+
+Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+OL 9 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000382
+          CCI-002314
+          Enable the firewalld service with the following command:
+
+$ sudo systemctl enable --now firewalld
+
+Note: If firewalld is masked, run following command:
+
+sudo systemctl unmask firewalld
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000324-GPOS-00125
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000230
+          OL 9 must have the sudo package installed.
+          <VulnDiscussion>sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to complete their work.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002235
+          The sudo package can be installed with the following command:
+
+# dnf install -y sudo
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000231
+          OL 9 must use the invoking user's password for privilege escalation when using sudo.
+          <VulnDiscussion>If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to use the invoking user's password for privilege escalation when using sudo. 
+
+Define the following in the Defaults section of the /etc/sudoers file or a single configuration file in the /etc/sudoers.d/ directory:
+
+Defaults !targetpw
+Defaults !rootpw
+Defaults !runaspw
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000232
+          OL 9 must restrict privilege elevation to authorized personnel.
+          <VulnDiscussion>If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove the following entries from the /etc/sudoers file or configuration file under /etc/sudoers.d/:
+
+ALL     ALL=(ALL) ALL
+ALL     ALL=(ALL:ALL) ALL
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000396-GPOS-00176
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000240
+          OL 9 must have the crypto-policies package installed.
+          <VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002450
+          CCI-002890
+          CCI-003123
+          Install the crypto-policies package (if not already installed) with the following command:
+
+$ sudo dnf install -y crypto-policies
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000423-GPOS-00187
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000250
+          OL 9 networked systems must have SSH installed.
+          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002418
+          CCI-002421
+          CCI-002420
+          CCI-002422
+          The openssh-server package can be installed with the following command:
+ 
+$ sudo dnf install -y openssh-server
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000423-GPOS-00187
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000251
+          OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
+          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002418
+          CCI-002421
+          CCI-002420
+          CCI-002422
+          Enable the sshd service with the following command:
+
+$ systemctl enable --now sshd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000250-GPOS-00093
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000252
+          The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001453
+          Configure the OL 9 SSH daemon to use systemwide cryptographic policies by running the following commands:
+
+$ sudo dnf reinstall -y openssh-server
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000250-GPOS-00093
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000254
+          OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001453
+          Configure the OL 9 SSH server to use only ciphers employing FIPS 140-3 approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000250-GPOS-00093
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000255
+          OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001453
+          Configure the OL 9 SSH server to use only MACs employing FIPS 140-3 approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000023-GPOS-00006
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000256
+          OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
+          <VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000048
+          CCI-001384
+          CCI-001385
+          CCI-001386
+          CCI-001387
+          CCI-001388
+          Configure OL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh.
+
+Edit the "etc/ssh/sshd_config" file or a file in "/etc/ssh/sshd_config.d" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
+
+An example configuration line is:
+
+Banner /etc/issue
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000260
+          OL 9 must have the openssh-clients package installed.
+          <VulnDiscussion>This package includes utilities to make encrypted connections and transfer files securely to SSH servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the openssh-clients package with the following command:
+ 
+$ sudo dnf install -y openssh-clients
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000250-GPOS-00093
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000261
+          OL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001453
+          Configure the SSH client to use only ciphers employing FIPS 140-3 approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000250-GPOS-00093
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000262
+          OL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001453
+          Configure the SSH client to use only MACs employing FIPS 140-3 approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000105-GPOS-00052
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000270
+          OL 9 must have the openssl-pkcs11 package installed.
+          <VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000765
+          CCI-004046
+          CCI-001953
+          CCI-001954
+          Install the openssl-pkcs11 package with the following command:
+ 
+$ sudo dnf install -y openssl-pkcs11
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000705-GPOS-00150
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000285
+          OL 9 must have the SSSD package installed.
+          <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
+ 
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
+ 
+A privileged account is defined as an information system account with authorizations of a privileged user. 
+ 
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. 
+ 
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          CCI-004047
+          CCI-000765
+          CCI-000766
+          Install the SSSD package with the following command:
+
+$ sudo dnf install -y sssd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000705-GPOS-00150
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000286
+          OL 9 must use the SSSD package for multifactor authentication services.
+          <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
+ 
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
+ 
+A privileged account is defined as an information system account with authorizations of a privileged user. 
+ 
+Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. 
+ 
+Multifactor authentication requires using two or more factors to achieve authentication. 
+ 
+Factors include:  
+1) Something a user knows (e.g., password/PIN); 
+2) Something a user has (e.g., cryptographic identification device, token); and 
+3) Something a user is (e.g., biometric). 
+ 
+A privileged account is defined as an information system account with authorizations of a privileged user. 
+ 
+Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). 
+ 
+The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00161</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          CCI-004047
+          CCI-000765
+          CCI-000767
+          Configure the sssd.service to start automatically on reboot with the following command: 
+ 
+$ sudo systemctl enable sssd.service 
+ 
+Ensure the sssd service is running: 
+ 
+$ sudo systemctl start sssd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000363-GPOS-00150
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000290
+          OL 9 must have the s-nail package installed.
+          <VulnDiscussion>The s-nail package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001744
+          Install the s-nail package with the following command:
+
+$ sudo dnf install -y s-nail
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000363-GPOS-00150
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000300
+          OL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
+          <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001744
+          CCI-002696
+          Install AIDE, initialize it, and perform a manual check.
+
+Install AIDE:
+
+$ sudo dnf install -y aide
+
+Initialize AIDE:
+     
+$ sudo /usr/sbin/aide --init
+
+Example output:
+
+Start timestamp: 2023-06-05 10:09:04 -0600 (AIDE 0.16)
+AIDE initialized database at /var/lib/aide/aide.db.new.gz
+
+Number of entries:      86833
+
+---------------------------------------------------
+The attributes of the (uncompressed) database(s):
+---------------------------------------------------
+
+/var/lib/aide/aide.db.new.gz
+  MD5      : coZUtPHhoFoeD7+k54fUvQ==
+  SHA1     : DVpOEMWJwo0uPgrKZAygIUgSxeM=
+  SHA256   : EQiZH0XNEk001tcDmJa+5STFEjDb4MPE
+             TGdBJ/uvZKc=
+  SHA512   : 86KUqw++PZhoPK0SZvT3zuFq9yu9nnPP
+             toei0nENVELJ1LPurjoMlRig6q69VR8l
+             +44EwO9eYyy9nnbzQsfG1g==
+
+End timestamp: 2023-06-05 10:09:57 -0600 (run time: 0m 53s)
+
+The new database will need to be renamed to be read by AIDE:
+
+$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+Perform a manual check:
+
+$ sudo /usr/sbin/aide --check
+
+Example output:
+
+2023-06-05 10:16:08 -0600 (AIDE 0.16)
+AIDE found NO differences between database and filesystem. Looks okay!!
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000355-GPOS-00143
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000310
+          OL 9 must have the chrony package installed.
+          <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004923
+          Install the chrony package with the following command:
+ 
+$ sudo dnf install -y chrony
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000355-GPOS-00143
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000311
+          OL 9 must enable the chronyd service.
+          <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004923
+          Enable the chronyd service with the following command:
+
+$ sudo systemctl enable --now chronyd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000378-GPOS-00163
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000320
+          OL 9 must have the USBGuard package installed.
+          <VulnDiscussion>The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
+
+The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001958
+          Install the usbguard package with the following command:
+
+$ sudo dnf install -y usbguard
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000378-GPOS-00163
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000321
+          OL 9 must enable the USBGuard package.
+          <VulnDiscussion>The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
+
+The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001958
+          Enable the USBGuard service with the following command:
+
+$ sudo systemctl enable --now usbguard
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000366-GPOS-00153
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000330
+          OL 9 must have the subscription-manager package installed.
+          <VulnDiscussion>Oracle Linux Manager, based on the Spacewalk open source software, helps automate Oracle Linux systems management. This enables users to control the system software life cycle from initial installation through maintenance, software configuration, upgrades, and eventual decommissioning. Oracle Linux Manager also helps automate a kickstart installation, system configuration, and maintenance tasks, which enables rapid deployment of proven and consistent software configurations for Oracle Linux systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003992
+          Install the oracle-linux-manager package with the following command:
+ 
+$ sudo dnf install -y oracle-linux-manager-client-release-el9
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000370-GPOS-00155
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000340
+          OL 9 must have the fapolicy module installed.
+          <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
+
+Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
+
+User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
+
+OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
+
+Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
+
+Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001774
+          CCI-001764
+          Install the fapolicyd package with the following command:
+ 
+$ sudo dnf install -y fapolicyd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000370-GPOS-00155
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000341
+          OL 9 must enable the fapolicy module.
+          <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
+
+Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
+
+User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
+
+OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
+
+Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
+
+Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001774
+          CCI-001764
+          Enable the fapolicyd service with the following command:
+
+$ sudo systemctl enable --now fapolicyd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000479-GPOS-00224
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000350
+          OL 9 must have the rsyslog package installed.
+          <VulnDiscussion>rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing.
+
+Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          CCI-000154
+          The rsyslogd package can be installed with the following command:
+ 
+$ sudo dnf install -y rsyslogd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000351
+          OL 9 must be configured so that the rsyslog service is active.
+          <VulnDiscussion>The rsyslog service must be running to provide logging services, which are essential to system administration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Enable the rsyslog service with the following command:
+
+$ sudo systemctl enable --now rsyslog
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000120-GPOS-00061
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000355
+          OL 9 must have the packages required for encrypting offloaded audit logs installed.
+          <VulnDiscussion>The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000803
+          Install the rsyslog-gnutls package with the following command:
+ 
+$ sudo dnf install -y rsyslog-gnutls
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000360
+          OL 9 must enable the hardware random number generator entropy gatherer service.
+          <VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
+
+The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the rng-tools package with the following command:
+
+$ sudo dnf install -y rng-tools
+
+Enable the rngd service run the following command:
+
+$ sudo systemctl enable --now rngd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000370
+          OL 9 must have the rng-tools package installed.
+          <VulnDiscussion>rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the rng-tools package with the following command:
+ 
+$ sudo dnf install -y rng-tools
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000380
+          OL 9 must have the nss-tools package installed.
+          <VulnDiscussion>Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the nss-tools package with the following command:
+ 
+$ sudo dnf install -y nss-tools
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000375-GPOS-00160
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000390
+          OL 9 must have the pcsc-lite package installed.
+          <VulnDiscussion>The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          Install the pcsc-lite package with the following command:
+ 
+$ sudo dnf install -y pcsc-lite
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000375-GPOS-00160
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000400
+          OL 9 must have the opensc package installed.
+          <VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
+
+The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          CCI-001953
+          Install the opensc package with the following command:
+ 
+$ sudo dnf install -y opensc
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000375-GPOS-00160
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000401
+          OL 9 must be configured so that the pcscd service is active.
+          <VulnDiscussion>The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          Enable the pcscd service with the following command:
+
+$ sudo systemctl enable --now pcscd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000120-GPOS-00061
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000410
+          OL 9 must have the libreswan package installed.
+          <VulnDiscussion>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000803
+          Install the libreswan service (if it is not already installed) with the following command:
+
+$ sudo dnf install -y libreswan
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000430
+          OL 9 must have the gnutls-utils package installed.
+          <VulnDiscussion>GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Install the gnutls-utils package with the following command:
+ 
+$ sudo dnf install -y gnutls-utils
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000440
+          OL 9 must have the audit package installed.
+          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured OL 9 system.
+
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          CCI-000130
+          CCI-000131
+          CCI-000132
+          CCI-000133
+          CCI-000134
+          CCI-000135
+          CCI-000154
+          CCI-000158
+          CCI-001876
+          CCI-001464
+          CCI-001487
+          CCI-001914
+          CCI-001875
+          CCI-001877
+          CCI-001878
+          CCI-001879
+          CCI-001880
+          CCI-001881
+          CCI-001882
+          CCI-001889
+          CCI-003938
+          CCI-002884
+          CCI-000172
+          CCI-000159
+          Install the audit service package (if the audit service is not already installed) with the following command:
+
+$ sudo dnf install -y audit
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000441
+          OL 9 audit service must be enabled.
+          <VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
+
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          CCI-000130
+          CCI-000131
+          CCI-000132
+          CCI-000133
+          CCI-000134
+          CCI-000135
+          CCI-000154
+          CCI-000158
+          CCI-001876
+          CCI-001464
+          CCI-001487
+          CCI-001914
+          CCI-001875
+          CCI-001877
+          CCI-001878
+          CCI-001879
+          CCI-001880
+          CCI-001881
+          CCI-001882
+          CCI-001889
+          CCI-003938
+          CCI-002884
+          CCI-000172
+          Enable the auditd service with the following command:
+
+$ sudo systemctl enable --now auditd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000450
+          OL 9 must have the audispd-plugins package installed.
+          <VulnDiscussion>audispd-plugins provides plug-ins for the real-time interface to the audit subsystem, audispd. These plug-ins can do things like relay events to remote machines or analyze events for suspicious behavior.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          The audispd-plugins package can be installed with the following command:
+ 
+$ sudo dnf install -y audispd-plugins
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000437-GPOS-00194
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000495
+          OL 9 must remove all software components after updated versions have been installed.
+          <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002617
+          Configure OL 9 to remove all software components after updated versions have been installed.
+
+Edit the file /etc/dnf/dnf.conf by adding or editing the following line:
+
+ clean_requirements_on_remove=1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000366-GPOS-00153
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000496
+          OL 9 must check the GPG signature of locally installed software packages before installation.
+          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003992
+          Configure dnf to always check the GPG signature of local software packages before installation.
+
+Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:
+
+localpkg_gpgcheck=1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000366-GPOS-00153
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000497
+          OL 9 must check the GPG signature of software packages originating from external software repositories before installation.
+          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003992
+          Configure dnf to always check the GPG signature of software packages originating from external software repositories before installation.
+
+Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:
+
+gpgcheck=1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000366-GPOS-00153
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000498
+          OL 9 must have GPG signature verification enabled for all software repositories.
+          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003992
+          Configure all software repositories defined in "/etc/yum.repos.d/" to have "gpgcheck" enabled:
+
+$ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000500
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
+          <VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/sudoers -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000505
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
+          <VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/sudoers.d/ -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000510
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
+          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/group -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000515
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
+          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/gshadow -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000520
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
+          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/security/opasswd -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000525
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
+          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/passwd -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000004-GPOS-00004
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000530
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+          <VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000018
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000015
+          CCI-002884
+          CCI-000172
+          CCI-001403
+          CCI-001404
+          CCI-001405
+          CCI-002130
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/shadow -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000535
+          OL 9 must audit all uses of the unix_update command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000172
+          CCI-002884
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the "unix_update" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000540
+          OL 9 must audit all uses of the su command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000172
+          CCI-002884
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the su command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000545
+          OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to audit the execution of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000550
+          OL 9 must audit all uses of the chage command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chage command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000555
+          OL 9 must audit all uses of the chcon command.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chcon command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000560
+          OL 9 must audit all uses of the setfacl command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the setfacl command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000565
+          OL 9 must audit all uses of the chsh command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chsh command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000570
+          OL 9 must audit all uses of the crontab command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the crontab command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000575
+          OL 9 must audit all uses of the gpasswd command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the gpasswd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000580
+          OL 9 must audit all uses of the newgrp command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the newgrp command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000585
+          OL 9 must audit all uses of the pam_timestamp_check command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the pam_timestamp_check command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000590
+          OL 9 must audit all uses of the passwd command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the passwd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000595
+          OL 9 must audit all uses of the postdrop command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the postdrop command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000600
+          OL 9 must audit all uses of the postqueue command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the postqueue command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000605
+          OL 9 must audit all uses of the ssh-agent command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the ssh-agent command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000610
+          OL 9 must audit all uses of the ssh-keysign command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the ssh-keysign command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000615
+          OL 9 must audit all uses of the sudoedit command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the sudoedit command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000620
+          OL 9 must audit all uses of the unix_chkpwd command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the unix_chkpwd command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000625
+          OL 9 must audit all uses of the userhelper command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the userhelper command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000630
+          OL 9 must audit all uses of the mount command.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the mount command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000635
+          OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
+
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000640
+          OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chmod, fchmod, and fchmodat system calls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000645
+          OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chown, fchown, fchownat, and lchown system calls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000650
+          OL 9 must audit all uses of the semanage command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the semanage command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000655
+          OL 9 must audit all uses of the setfiles command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the setfiles command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000660
+          OL 9 must audit all uses of the setsebool command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the setsebool command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged 
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000665
+          OL 9 must audit all uses of the chacl command.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the chacl command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000670
+          OL 9 must audit all uses of the sudo command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the sudo command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000675
+          OL 9 must audit all uses of the usermod command.
+          <VulnDiscussion>Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the usermod command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000680
+          OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the rename, unlink, rmdir, renameat, and unlinkat system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
+-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000685
+          OL 9 must audit all uses of the delete_module system call.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the delete_module system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000690
+          OL 9 must audit all uses of the init_module and finit_module system calls.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate an audit event for any successful/unsuccessful use of the init_module and finit_module system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000695
+          OL 9 must audit all uses of the kmod command.
+          <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the kmod command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000700
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/lastlog -p wa -k logins
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000705
+          OL 9 must audit all uses of umount system calls.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records upon successful/unsuccessful attempts to use the umount command by adding or updating the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000256-GPOS-00097
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000710
+          OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
+          <VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.
+
+To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
+
+Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001493
+          CCI-001494
+          CCI-001495
+          CCI-001496
+          Configure OL 9 to protect the integrity of the audit tools.
+
+Add or update the following lines to /etc/aide.conf:
+ 
+/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000326-GPOS-00126
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000715
+          OL 9 must audit uses of the execve system call.
+          <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
+
+Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-OS-000755-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002233
+          CCI-002234
+          CCI-004188
+          Configure OL 9 to audit the execution of the execve system call.
+
+Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv 
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv 
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv 
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+
+Note: Users must reboot to view above results with command "auditctl -l | grep execve".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000392-GPOS-00172
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000720
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/faillock -p wa -k logins
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000392-GPOS-00172
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000725
+          OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
+          <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002884
+          CCI-000172
+          Configure OL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
+
+Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/tallylog -p wa -k logins
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000477-GPOS-00222
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000730
+          OL 9 must be configured so that successful/unsuccessful uses of the init command generate an audit record.
+          <VulnDiscussion>Misuse of the init command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the init command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000477-GPOS-00222
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000735
+          OL 9 must be configured so that successful/unsuccessful uses of the poweroff command generate an audit record.
+          <VulnDiscussion>Misuse of the poweroff command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the poweroff command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000477-GPOS-00222
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000740
+          OL 9 must be configured so that successful/unsuccessful uses of the reboot command generate an audit record.
+          <VulnDiscussion>Misuse of the reboot command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the reboot command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000477-GPOS-00222
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000745
+          OL 9 must be configured so that successful/unsuccessful uses of the shutdown command generate an audit record.
+          <VulnDiscussion>Misuse of the shutdown command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful uses of the shutdown command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000750
+          OL 9 must enable auditing of processes that start prior to the audit daemon.
+          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          CCI-001464
+          Enable auditing of processes that start prior to the audit daemon with the following command:
+
+$ sudo grubby --update-kernel=ALL --args="audit=1"
+
+Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
+
+GRUB_CMDLINE_LINUX="audit=1"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000039-GPOS-00017
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000755
+          OL 9 must label all offloaded audit logs before sending them to the central log server.
+          <VulnDiscussion>Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
+
+When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
+
+Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000132
+          CCI-001851
+          Configure OL 9 to label all offloaded audit logs before sending them to the central log server.
+
+Edit the /etc/audit/auditd.conf file and add or update the "name_format" option:
+
+name_format = hostname
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000760
+          OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
+          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          Configure OL 9 to shut down by default upon audit failure (unless availability is an overriding concern).
+
+Add or update the following line (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:
+
+disk_error_action = HALT
+
+If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000765
+          OL 9 audit system must take appropriate action when the audit storage volume is full.
+          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          Configure OL 9 to shut down by default upon audit failure (unless availability is an overriding concern).
+
+Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:
+
+disk_full_action = HALT
+
+If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000770
+          OL 9 audit system must take appropriate action when the audit files have reached maximum size.
+          <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          Configure OL 9 to rotate the audit log when it reaches maximum size.
+
+Add or update the following line in "/etc/audit/auditd.conf" file:
+
+max_log_file_action = ROTATE
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000051-GPOS-00024
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000775
+          OL 9 must periodically flush audit records to disk to prevent the loss of audit records.
+          <VulnDiscussion>If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000154
+          Configure OL 9 to flush audit to disk by adding or updating the following configuration in "/etc/audit/auditd.conf":
+
+freq = 100
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000057-GPOS-00027
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000785
+          OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
+          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000162
+          CCI-000163
+          CCI-000164
+          CCI-001314
+          Configure OL 9 audit logs to be group-owned by "root" or a restricted logging group.
+
+Change the group of the directory of "/var/log/audit" to be owned by a correct group.
+
+Identify the group that is configured to own audit log:
+
+$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf
+
+Change the ownership to that group:
+
+$ sudo chgrp ${GROUP} /var/log/audit
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000057-GPOS-00027
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000790
+          OL 9 audit log directory must be owned by root to prevent unauthorized read access.
+          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000162
+          CCI-000163
+          CCI-000164
+          CCI-001314
+          Configure OL 9 to protect the audit log from unauthorized read access by setting the correct owner as "root" with the following command:
+
+$ sudo chown root /var/log/audit
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000057-GPOS-00027
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000795
+          OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000162
+          CCI-000163
+          CCI-000164
+          CCI-001314
+          Configure the audit logs to have a mode of "0600" with the following command:
+
+Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
+
+$ sudo chmod 0600 /var/log/audit/[audit_log_file]
+
+Check the group that owns the system audit logs:
+
+$ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf
+
+If the log_group is not defined or it is set to root, configure the permissions the following way:
+
+$ sudo chmod 0640 $log_file
+$ sudo chmod 0440 $log_file.*
+
+Otherwise, configure the permissions the following way:
+
+$ sudo chmod 0600 $log_file
+$ sudo chmod 0400 $log_file.*
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000800
+          OL 9 audit system must audit local events.
+          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+If option "local_events" isn't set to "yes" only events from network will be aggregated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          Configure OL 9 to generate audit records for local events by adding or updating the following line in "/etc/audit/auditd.conf":
+
+local_events = yes 
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000063-GPOS-00032
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000805
+          OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
+          <VulnDiscussion>Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000171
+          Configure the files in directory "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file to have a mode of "0640" with the following commands:
+
+$ sudo chmod 0640 /etc/audit/rules.d/audit.rules
+$ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules
+$ sudo chmod 0640 /etc/audit/auditd.conf
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000063-GPOS-00032
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000810
+          OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000171
+          Configure the /etc/audit/auditd.conf file to have a mode of 0640 with the command:
+
+$ sudo chmod 0640 /etc/audit/auditd.conf
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000046-GPOS-00022
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000815
+          OL 9 must forward mail from postmaster to the root account using a postfix alias.
+          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000139
+          Configure a valid email address as an alias for the root account.
+
+Append the following line to "/etc/aliases":
+
+postmaster: root
+
+Then, run the following command:
+
+$ sudo newaliases
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000046-GPOS-00022
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000820
+          OL 9 must take appropriate action when a critical audit processing failure occurs.
+          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00135</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000139
+          CCI-000140
+          Configure OL 9 to shut down when auditing failures occur.
+
+Add the following line to the bottom of the /etc/audit/audit.rules file:
+
+-f 2
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000046-GPOS-00022
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000825
+          The OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
+          <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
+
+Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000139
+          CCI-001855
+          Configure the auditd service to notify the SA and ISSO in the event of an audit processing failure.
+
+Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
+
+action_mail_acct = root
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000254-GPOS-00095
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000830
+          OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
+          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.
+
+Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001464
+          CCI-001849
+          Configure OL 9 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
+
+$ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000255-GPOS-00096
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000835
+          OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
+          <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001487
+          Configure OL 9 to produce audit records containing information to establish the identity of any individual or process associated with the event.
+
+Edit the /etc/audit/auditd.conf file and add or update the "log_format" option:
+
+log_format = ENRICHED
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000840
+          OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.
+          <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
+
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000845
+          OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.
+          <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000169
+          CCI-002884
+          CCI-000172
+          Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount2 system call by adding the following rules to a rules file in /etc/audit/rules.d/ directory: (Example /etc/audit/rules.d/audit.rules)
+
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000341-GPOS-00132
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000850
+          OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
+          <VulnDiscussion>To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
+
+The task of allocating audit record storage capacity is usually performed during initial installation of OL 9.
+
+Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001849
+          CCI-001851
+          Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
+
+If audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records.
+
+If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000855
+          OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
+          <VulnDiscussion>The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to offload audit records onto a different system from the system being audited via syslog.
+
+Edit the /etc/audit/plugins.d/syslog.conf file and add or update the "active" option:
+
+active = yes
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000860
+          OL 9 must take appropriate action when the internal event queue is full.
+          <VulnDiscussion>The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Offloading is a common process in information systems with limited audit storage capacity.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to take appropriate action when the internal event queue is full.
+
+Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option:
+
+overflow_action = syslog
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000343-GPOS-00134
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000865
+          OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+          <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001855
+          Configure OL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches (at most) 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file:
+
+space_left  = 25%
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000343-GPOS-00134
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000870
+          OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
+          <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001855
+          Configure OL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches (at most) 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file:
+
+space_left_action = email
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000343-GPOS-00134
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000875
+          OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
+          <VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001855
+          Configure OL 9 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.
+
+admin_space_left  = 5%
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000880
+          OL 9 must write audit records to disk.
+          <VulnDiscussion>Audit data should be synchronously written to disk to ensure log integrity. This setting ensures that all audit event data is written disk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the audit system to write log files to the disk.
+
+Edit the /etc/audit/auditd.conf file and add or update the "write_logs" option to "yes":
+
+write_logs = yes 
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000343-GPOS-00134
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000885
+          OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
+          <VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001855
+          Configure the auditd service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
+
+Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:
+
+admin_space_left_action = single 
+
+The audit daemon must be restarted for changes to take effect.
+
+Restart auditd:
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000375-GPOS-00160
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000925
+          OL 9 must enable certificate-based smart card authentication.
+          <VulnDiscussion>Without the use of multifactor authentication (MFA), the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          CCI-000765
+          Configure OL 9 to enable certificate-based smart card authentication.
+
+Edit the file "/etc/sssd/sssd.conf" and add or edit the following line:
+
+pam_cert_auth = True
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000375-GPOS-00160
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000930
+          OL 9 must implement certificate status checking for multifactor authentication (MFA).
+          <VulnDiscussion>Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
+
+OL 9 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function.
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004046
+          CCI-001954
+          Configure OL 9 to implement certificate status checking for MFA.
+
+Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification.
+
+Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file:
+
+certificate_verification = ocsp_dgst=sha512
+
+Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands:
+
+$ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf"
+$ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf"
+
+The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+
+$ sudo systemctl restart sssd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000383-GPOS-00166
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000935
+          OL 9 must prohibit the use of cached authenticators after one day.
+          <VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002007
+          Configure the SSSD to prohibit the use of cached authentications after one day.
+
+Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]:
+
+offline_credentials_expiration = 1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000104-GPOS-00051
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-000940
+          OL 9 must use the CAC smart card driver.
+          <VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.
+
+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000764
+          CCI-000766
+          CCI-000765
+          CCI-004045
+          CCI-001941
+          Configure OL 9 to load the CAC driver.
+
+Add or modify the following line in the "/etc/opensc.conf" file:
+
+card_drivers = cac;
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001000
+          OL 9 must ensure the password complexity module is enabled in the system-auth file.
+          <VulnDiscussion>Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to use "pwquality" to enforce password complexity rules.
+
+Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value):
+
+password required pam_pwquality.so
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000069-GPOS-00037
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001001
+          OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
+
+OL 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
+/etc/pam.d/password-auth
+/etc/pam.d/system-auth
+
+By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to limit the "pwquality" retry option to "3".
+
+Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value):
+
+password required pam_pwquality.so retry=3
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000069-GPOS-00037
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001005
+          OL 9 must enforce password complexity by requiring that at least one uppercase character be used.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce password complexity by requiring that at least one uppercase character is used by setting the "ucredit" option.
+
+Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+
+ucredit = -1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000069-GPOS-00037
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001010
+          OL 9 must ensure the password complexity module is enabled in the password-auth file.
+          <VulnDiscussion>Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
+
+Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to use "pwquality" to enforce password complexity rules.
+
+Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value):
+
+password required pam_pwquality.so
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000070-GPOS-00038
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001015
+          OL 9 must enforce password complexity by requiring that at least one lowercase character be used.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce password complexity by requiring at least one lowercase character is used by setting the "lcredit" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+lcredit = -1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000071-GPOS-00039
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001020
+          OL 9 must enforce password complexity by requiring that at least one numeric character be used.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce password complexity by requiring at least one numeric character is used by setting the "dcredit" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+dcredit = -1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000072-GPOS-00040
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001025
+          OL 9 must require the change of at least eight characters when passwords are changed.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords will not resemble previously compromised ones. Note that passwords changed on compromised systems will still be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+difok = 8
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000072-GPOS-00040
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001030
+          OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
+
+Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
+
+maxclassrepeat = 4
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000072-GPOS-00040
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001035
+          OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+maxrepeat = 3
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000072-GPOS-00040
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001040
+          OL 9 must require the change of at least four character classes when passwords are changed.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+minclass = 4
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000072-GPOS-00040
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001045
+          OL 9 must enforce password complexity rules for the root account.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce password complexity on the root account.
+
+Add or update the following line in /etc/security/pwquality.conf:
+
+enforce_for_root
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001050
+          OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
+          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          Configure OL 9 to use the SHA-512 algorithm for password hashing.
+
+Add or change the following line in the "[default]" section of "/etc/libuser.conf" file:
+
+crypt_style = sha512
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001055
+          OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
+          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          Configure OL 9 to store only SHA-512 encrypted representations of passwords.
+
+Add or update the following line in the "/etc/login.defs" file:
+
+ENCRYPT_METHOD SHA512
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001060
+          OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
+          <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
+
+OL 9 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. 
+
+FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          Configure OL 9 to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
+
+Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so:
+
+password sufficient pam_unix.so sha512
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001065
+          OL 9 password-auth must be configured to use a sufficient number of hashing rounds.
+          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+Using more hashing rounds makes password cracking attacks more difficult.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          CCI-000803
+          Configure Oracle Linux 9 to use 100000 hashing rounds for hashing passwords.
+
+Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000".
+
+password sufficient pam_unix.so sha512 rounds=100000
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001070
+          OL 9 system-auth must be configured to use a sufficient number of hashing rounds.
+          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+Using more hashing rounds makes password cracking attacks more difficult.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          CCI-000803
+          Configure Oracle Linux 9 to use 100000 hashing rounds for hashing passwords.
+
+Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to 100000.
+
+password sufficient pam_unix.so sha512 rounds=100000'
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001075
+          OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
+          <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+Using more hashing rounds makes password cracking attacks more difficult.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          CCI-000803
+          Configure OL 9 to encrypt all stored passwords with a strong cryptographic hash.
+
+Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "100000":
+
+SHA_CRYPT_MIN_ROUNDS 100000
+SHA_CRYPT_MAX_ROUNDS 100000
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000073-GPOS-00041
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001080
+          OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
+          <VulnDiscussion>The system must use a strong hashing algorithm to store the password.
+
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004062
+          CCI-000803
+          Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
+
+To lock an account:
+
+$ sudo passwd -l [username]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000075-GPOS-00043
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001085
+          OL 9 passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.
+          <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
+
+Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce 24 hours as the minimum password lifetime.
+
+Add the following line in "/etc/login.defs" (or modify the line to have the required value):
+
+PASS_MIN_DAYS 1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000075-GPOS-00043
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001090
+          OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.
+          <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure noncompliant accounts to enforce a 24-hour minimum password lifetime:
+
+$ sudo passwd -n 1 [user]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000076-GPOS-00044
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001095
+          OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
+          <VulnDiscussion>Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
+
+Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce a 60-day maximum password lifetime.
+
+Add or modify the following line in the "/etc/login.defs" file:
+
+PASS_MAX_DAYS 60
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000076-GPOS-00044
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001100
+          OL 9 user account passwords must have a 60-day maximum password lifetime restriction.
+          <VulnDiscussion>Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If OL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 9 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure noncompliant accounts to enforce a 60-day maximum password lifetime restriction.
+
+passwd -x 60 [user]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000078-GPOS-00046
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001105
+          OL 9 passwords must be created with a minimum of 15 characters.
+          <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
+
+OL 9 uses "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
+
+The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, but they will not count toward the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
+
+The DOD minimum password requirement is 15 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce a minimum 15-character password length.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+minlen = 15
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001110
+          OL 9 must not allow blank or null passwords.
+          <VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to prevent logons with empty passwords.
+
+Note: Manual changes to the listed file may be overwritten by the "authselect" program.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000080-GPOS-00048
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001115
+          OL 9 must require a boot loader superuser password.
+          <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000213
+          Configure OL 9 to require a grub bootloader password for the grub superuser account.
+
+Generate an encrypted grub2 password for the grub superuser account with the following command:
+
+$ sudo grub2-setpassword
+Enter password:
+Confirm password:
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000266-GPOS-00101
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001120
+          OL 9 must enforce password complexity by requiring that at least one special character be used.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. OL 9 uses "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004066
+          Configure OL 9 to enforce password complexity by requiring at least one special character be used by setting the "ocredit" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+ocredit = -1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00225
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001125
+          OL 9 must prevent the use of dictionary words for passwords.
+          <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If OL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to prevent the use of dictionary words for passwords.
+
+Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
+
+dictcheck=1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-001130
+          OL 9 must not have accounts configured with blank or null passwords.
+          <VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 so that all accounts have a password or lock the account with the following commands:
+
+Perform a password reset:
+
+$ sudo passwd [username] 
+
+To lock an account:
+
+$ sudo passwd -l [username]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000114-GPOS-00059
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002000
+          OL 9 file system automount function must be disabled unless required.
+          <VulnDiscussion>An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000778
+          CCI-001958
+          Configure OL 9 to disable and mask the ability to automount devices.
+
+The autofs service can be disabled and masked with the following command:
+
+$ sudo systemctl mask --now autofs.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002011
+          OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002012
+          OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
+          <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Update each NFS mounted file system to use the "noexec" option on file systems that are being imported via NFS.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002013
+          OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
+          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Update each NFS mounted file system to use the "nosuid" option on file systems that are being imported via NFS.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002030
+          OL 9 must mount /boot with the nodev option.
+          <VulnDiscussion>The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /boot with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/boot" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002031
+          OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
+          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot directory.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/boot" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002032
+          OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
+          <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-001764
+          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002040
+          OL 9 must mount /dev/shm with the nodev option.
+          <VulnDiscussion>The nodev mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /dev/shm with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002041
+          OL 9 must mount /dev/shm with the noexec option.
+          <VulnDiscussion>The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /dev/shm with the noexec option.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002042
+          OL 9 must mount /dev/shm with the nosuid option.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /dev/shm with the nosuid option.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002050
+          OL 9 must mount /tmp with the nodev option.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /tmp with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002051
+          OL 9 must mount /tmp with the noexec option.
+          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /tmp with the noexec option.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002052
+          OL 9 must mount /tmp with the nosuid option.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /tmp with the nosuid option.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002060
+          OL 9 must mount /var with the nodev option.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/var" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002061
+          OL 9 must mount /var/log with the nodev option.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/var/log" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002062
+          OL 9 must mount /var/log with the noexec option.
+          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log with the noexec option.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/var/log" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002063
+          OL 9 must mount /var/log with the nosuid option.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log with the nosuid option.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/var/log" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002064
+          OL 9 must mount /var/log/audit with the nodev option.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log/audit with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002065
+          OL 9 must mount /var/log/audit with the noexec option.
+          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log/audit with the noexec option.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/var/log/audit" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002066
+          OL 9 must mount /var/log/audit with the nosuid option.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/log/audit with the nosuid option.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/var/log/audit" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002067
+          OL 9 must mount /var/tmp with the nodev option.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/tmp with the nodev option.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/var/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002068
+          OL 9 must mount /var/tmp with the noexec option.
+          <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/tmp with the noexec option.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/var/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002069
+          OL 9 must mount /var/tmp with the nosuid option.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to mount /var/tmp with the nosuid option.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/var/tmp" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002070
+          OL 9 must prevent device files from being interpreted on file systems that contain user home directories.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to prevent device files from being interpreted on file systems that contain user home directories.
+
+Modify "/etc/fstab" to use the "nodev" option on the "/home" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000368-GPOS-00154
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002071
+          OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
+          <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001764
+          Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
+
+Modify "/etc/fstab" to use the "nosuid" option on the "/home" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002072
+          OL 9 must prevent code from being executed on file systems that contain user home directories.
+          <VulnDiscussion>The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to prevent code from being executed on file systems that contain user home directories.
+
+Modify "/etc/fstab" to use the "noexec" option on the "/home" directory.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002080
+          OL 9 must prevent special devices on nonroot local partitions.
+          <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000114-GPOS-00059
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002100
+          OL 9 must disable the graphical user interface automount function unless required.
+          <VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000778
+          CCI-001958
+          Configure the GNOME desktop to disable automated mounting of removable media.
+
+The dconf settings can be edited in the /etc/dconf/db/* location.
+
+Update the [org/gnome/desktop/media-handling] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
+
+[org/gnome/desktop/media-handling]
+automount-open=false
+
+Update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000114-GPOS-00059
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002120
+          OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
+          <VulnDiscussion>A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000778
+          CCI-001958
+          Configure the GNOME desktop to not allow a user to change the setting that disables automated mounting of removable media.
+
+Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
+
+/org/gnome/desktop/media-handling/automount-open
+
+Update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000114-GPOS-00059
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002121
+          OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
+          <VulnDiscussion>Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000778
+          CCI-001958
+          Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media.
+
+Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
+
+/org/gnome/desktop/media-handling/autorun-never
+
+Update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000023-GPOS-00006
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002122
+          OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
+          <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000048
+          CCI-001384
+          CCI-001385
+          CCI-001386
+          CCI-001387
+          CCI-001388
+          Configure OL 9 to prevent a user from overriding the banner setting for graphical user interfaces. 
+
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following setting to prevent nonprivileged users from modifying it:
+
+/org/gnome/login-screen/banner-message-enable
+
+Run the following command to update the database:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000028-GPOS-00009
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002123
+          OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
+          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.
+
+Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000056
+          CCI-000057
+          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following setting to prevent nonprivileged users from modifying it:
+
+/org/gnome/desktop/screensaver/lock-enabled
+
+Update the system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000029-GPOS-00010
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002124
+          OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
+          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
+
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000057
+          CCI-000060
+          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following setting to prevent nonprivileged users from modifying it:
+
+/org/gnome/desktop/session/idle-delay
+
+Update the system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000029-GPOS-00010
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002125
+          OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
+          <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000057
+          Configure OL 9 to prevent a user from overriding settings for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following setting to prevent nonprivileged users from modifying it:
+
+/org/gnome/desktop/screensaver/lock-delay
+
+Update the system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000028-GPOS-00009
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002126
+          OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
+          <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000056
+          CCI-000057
+          Configure OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
+
+Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock":
+
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action
+
+Update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002127
+          OL 9 must disable the ability of a user to restart the system from the login screen.
+          <VulnDiscussion>A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to disable a user's ability to restart the system.
+
+Add or update the [org/gnome/settings-daemon/] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
+
+[org/gnome/settings-daemon/peripherals/smartcard]
+disable-restart-buttons='true'
+
+Then update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002128
+          OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
+          <VulnDiscussion>A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to prevent a user from overriding the disable-restart-buttons setting for graphical user interfaces. 
+
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following line to prevent nonprivileged users from modifying it:
+
+/org/gnome/login-screen/disable-restart-buttons
+
+Run the following command to update the database:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002129
+          OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
+          <VulnDiscussion>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to disallow the user changing the Ctrl-Alt-Del sequence in the GNOME desktop.
+
+Create a database to container system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+$ sudo touch /etc/dconf/db/local.d/locks/session
+
+Add the following line to the session locks file to prevent nonprivileged users from modifying the Ctrl-Alt-Del setting:
+
+/org/gnome/settings-daemon/plugins/media-keys/logout
+
+Run the following command to update the database:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000023-GPOS-00006
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002150
+          OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
+          <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000048
+          CCI-001384
+          CCI-001385
+          CCI-001386
+          CCI-001387
+          CCI-001388
+          Configure OL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a graphical user logon.
+
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+$ sudo touch /etc/dconf/db/local.d/01-banner-message
+
+Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
+
+[org/gnome/login-screen]
+
+banner-message-enable=true
+
+Run the following command to update the database:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000028-GPOS-00009
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002160
+          OL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.
+          <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000056
+          CCI-000057
+          Configure OL 9 to enable a user's session lock until that user reestablishes access using established identification and authentication procedures.
+
+Select or create an authselect profile and incorporate the "with-smartcard-lock-on-removal" feature with the following example:
+
+$ sudo authselect select sssd with-smartcard with-smartcard-lock-on-removal
+
+Alternatively, the dconf settings can be edited in the /etc/dconf/db/* location.
+
+Add or update the [org/gnome/settings-daemon/peripherals/smartcard] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
+
+[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'
+
+Update the dconf system databases:
+
+$ sudo dconf update
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00229
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002161
+          OL 9 must not allow unattended or automatic logon via the graphical user interface.
+          <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure the GNOME desktop display manager to disable automatic login.
+
+Set AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
+
+[daemon]
+AutomaticLoginEnable=false
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002301
+          OL 9 must define default permissions for the bash shell.
+          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to define default permissions for all authenticated users using the bash shell.
+
+Add or edit the lines for the "umask" parameter in the "/etc/bashrc" file to "077":
+
+umask 077
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002302
+          OL 9 must define default permissions for the c shell.
+          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to define default permissions for all authenticated users using the c shell.
+
+Add or edit the lines for the "umask" parameter in the "/etc/csh.cshrc" file to "077":
+
+umask 077
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002303
+          OL 9 must define default permissions for the system default profile.
+          <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Add or edit the lines for the "umask" parameter in the "/etc/profile" file to "077":
+
+umask 077
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00228
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002304
+          OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+          <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077":
+
+UMASK 077
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000096-GPOS-00050
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002320
+          OL 9 must disable the chrony daemon from acting as a server.
+          <VulnDiscussion>Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000382
+          CCI-000381
+          Configure OL 9 to disable the chrony daemon from acting as a server by adding/modifying the following line in the /etc/chrony.conf file:
+
+port 0
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000096-GPOS-00050
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002321
+          OL 9 must disable network management of the chrony daemon.
+          <VulnDiscussion>Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000382
+          CCI-000381
+          Configure OL 9 to disable network management of the chrony daemon by adding/modifying the following line in the /etc/chrony.conf file:
+
+cmdport 0
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000062-GPOS-00031
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002330
+          OL 9 must enable Linux audit logging for the USBGuard daemon.
+          <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DOD has defined the list of events for which OL 9 will provide an audit record generation capability as the following:
+
+1. Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+2. Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+3. All account creations, modifications, disabling, and terminations; and 
+
+4. All kernel module load, unload, and restart actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000169
+          Configure OL 9 USBGuard AuditBackend to use the audit system.
+
+Add or edit the following line in /etc/usbguard/usbguard-daemon.conf 
+
+AuditBackend=LinuxAudit
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000032-GPOS-00013
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002340
+          OL 9 must log SSH connection attempts and failures to the server.
+          <VulnDiscussion>SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000067
+          Configure OL 9 to log connection attempts add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
+
+LogLevel VERBOSE
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000364-GPOS-00151
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002341
+          OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
+          <VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001813
+          Configure the SSH daemon to not allow GSSAPI authentication.
+
+Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no":
+
+GSSAPIAuthentication no
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000423-GPOS-00187
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002342
+          OL 9 must force a frequent session key renegotiation for SSH connections to the server.
+          <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+Session key regeneration limits the chances of a session key becoming compromised.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002418
+          CCI-000068
+          CCI-002421
+          Configure OL 9 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
+
+RekeyLimit 1G 1h
+
+Restart the SSH daemon for the settings to take effect.
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000106-GPOS-00053
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002343
+          OL 9 SSHD must not allow blank passwords.
+          <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000766
+          Configure OL 9 to prevent SSH users from logging on with blank passwords by editing the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
+
+PermitEmptyPasswords no
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000125-GPOS-00065
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002344
+          OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
+          <VulnDiscussion>When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000877
+          Configure the OL 9 SSHD to use the UsePAM interface by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
+
+UsePAM yes
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000109-GPOS-00056
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002345
+          OL 9 must not permit direct logons to the root account using remote access via SSH.
+          <VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-004045
+          Configure OL 9 to prevent SSH users from logging on directly as root by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
+
+PermitRootLogin no
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000163-GPOS-00072
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002346
+          OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
+          <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001133
+          CCI-002361
+          Note: This setting must be applied in conjunction with ClientAliveInterval to function correctly.
+
+Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.
+
+Modify or append the following lines in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
+
+ClientAliveCountMax 1
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000163-GPOS-00072
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002347
+          OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
+          <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, SSHD will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001133
+          CCI-002361
+          CCI-002891
+          Note: This setting must be applied in conjunction with ClientAliveCountMax" setting to function correctly.
+
+Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.
+
+Modify or append the following lines in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
+
+ClientAliveInterval 600
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002348
+          OL 9 SSH daemon must not allow rhosts authentication.
+          <VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to not allow rhosts authentication.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
+
+IgnoreRhosts yes
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002349
+          OL 9 SSH daemon must not allow known hosts authentication.
+          <VulnDiscussion>Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to not allow known hosts authentication.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
+
+IgnoreUserKnownHosts yes
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002350
+          OL 9 SSH daemon must disable remote X connections for interactive users.
+          <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to not allow X11 forwarding.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no":
+
+X11Forwarding no
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002351
+          OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
+          <VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to perform strict mode checking of home directory configuration files.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
+
+StrictModes yes
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002352
+          OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
+          <VulnDiscussion>Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to provide users with feedback on when account accesses last occurred.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
+
+PrintLastLog yes
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002354
+          OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
+          <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "yes":
+
+X11UseLocalhost yes
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002355
+          OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
+          <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the SSH daemon to not allow compression.
+
+Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "delayed" or "no":
+
+Compression no
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000364-GPOS-00151
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002356
+          OL 9 SSH daemon must not allow Kerberos authentication.
+          <VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001813
+          Configure the SSH daemon to not allow Kerberos authentication.
+
+Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no":
+
+KerberosAuthentication no
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00229
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002357
+          OL 9 must not allow a noncertificate trusted host SSH logon to the system.
+          <VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not allow a noncertificate trusted host SSH logon to access the system.
+
+Add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".
+
+HostbasedAuthentication no
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00229
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002358
+          OL 9 must not allow users to override SSH environment variables.
+          <VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the OL 9 SSH daemon to not allow unattended or automatic logon to the system.
+
+Add or edit the following line in the "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d":
+
+PermitUserEnvironment no
+
+Restart the SSH daemon for the setting to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000105-GPOS-00052
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002359
+          OL 9 SSHD must accept public key authentication.
+          <VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000765
+          CCI-000766
+          Configure OL 9 to accept public key authentication by adding or modifying the following line in "/etc/ssh/sshd_config".
+
+PubkeyAuthentication yes
+
+Restart the SSH daemon for the settings to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002360
+          OL 9 must require reauthentication when using the "sudo" command.
+          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. 
+
+When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command.
+
+If the value is set to an integer less than "0", the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to reauthenticate "sudo" commands after the specified timeout:
+
+Add the following line to "/etc/sudoers":
+
+Defaults timestamp_timeout=0
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000312-GPOS-00123
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002361
+          OL 9 must restrict the use of the su command.
+          <VulnDiscussion>The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002165
+          Configure OL 9 to require users to be in the "wheel" group to run su command.
+
+In file "/etc/pam.d/su", uncomment the following line:
+
+"#auth    required    pam_wheel.so use_uid"
+
+Or use the following command to update /etc/pam.d/su 
+
+$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+
+If necessary, create a "wheel" group and add administrative users to the group.
+
+$ grep wheel /etc/group
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000327-GPOS-00127
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002362
+          OL 9 must require users to reauthenticate for privilege escalation.
+          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002234
+          Configure OL 9 to not allow users to execute privileged actions without authenticating.
+
+Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
+
+$ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000327-GPOS-00127
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002363
+          OL 9 must require users to provide a password for privilege escalation.
+          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002234
+          Configure OL 9 to not allow users to execute privileged actions without authenticating with a password.
+
+Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
+
+$ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000327-GPOS-00127
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002364
+          OL 9 must not be configured to bypass password requirements for privilege escalation.
+          <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002234
+          Configure the operating system to require users to supply a password for privilege escalation.
+
+Remove any occurrences of " pam_succeed_if " in the  "/etc/pam.d/sudo" file.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002370
+          OL 9 must disable the use of user namespaces.
+          <VulnDiscussion>User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
+
+Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. 
+
+user.max_user_namespaces = 0
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002380
+          OL 9 must disable the kernel.core_pattern.
+          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to disable storing core dumps.
+
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
+
+kernel.core_pattern = |/bin/false
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002381
+          OL 9 must disable core dump backtraces.
+          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
+
+Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure the operating system to disable core dump backtraces.
+
+Add or modify the following line in /etc/systemd/coredump.conf:
+
+ProcessSizeMax=0
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002382
+          OL 9 must disable storing core dumps.
+          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure the operating system to disable storing core dumps for all users.
+
+Add or modify the following line in /etc/systemd/coredump.conf:
+
+Storage=none
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002383
+          OL 9 must disable core dumps for all users.
+          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to disable core dumps for all users.
+
+Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
+
+* hard core 0
+
+Remove or comment out any entries for users or groups with a value set to anything other than "0".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002384
+          OL 9 must disable acquiring, saving, and processing core dumps.
+          <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure the system to disable the systemd-coredump.socket with the following command:
+
+$ sudo systemctl mask --now systemd-coredump.socket
+
+Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
+
+Reload the daemon for this change to take effect.
+
+$ sudo systemctl daemon-reload
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002385
+          OL 9 must be configured so that the kdump service is disabled.
+          <VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to disable and mask the kdump service.
+
+To disable the kdump service, run the following command:
+
+$ sudo systemctl disable --now kdump
+
+To mask the kdump service, run the following command:
+
+$ sudo systemctl mask --now kdump
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000433-GPOS-00192
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002390
+          OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
+          <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
+
+Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
+
+SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.
+
+Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002824
+          CCI-001084
+          Configure OL 9 to enable poisoning of SLUB/SLAB objects with the following commands:
+
+$ sudo grubby --update-kernel=ALL --args="slub_debug=P"
+
+Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
+
+GRUB_CMDLINE_LINUX="slub_debug=P"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000433-GPOS-00193
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002391
+          OL 9 must enable mitigations against processor-based vulnerabilities.
+          <VulnDiscussion>Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
+
+Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002824
+          CCI-000381
+          Configure OL 9 to enable kernel page-table isolation with the following command:
+
+$ sudo grubby --update-kernel=ALL --args="pti=on"
+
+Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
+
+GRUB_CMDLINE_LINUX="pti=on"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002392
+          OL 9 must disable the ability of systemd to spawn an interactive boot process.
+          <VulnDiscussion>Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to allocate sufficient audit_backlog_limit to disable the ability of systemd to spawn an interactive boot process with the following command:
+
+$ sudo grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000134-GPOS-00068
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002393
+          OL 9 must disable virtual system calls.
+          <VulnDiscussion>System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
+
+Virtual system calls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling virtual system calls help to prevent return-oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on OL 6 components, virtual system calls will have to be enabled so the components function properly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001084
+          Document the use of virtual system calls with the ISSO as an operational requirement or disable them with the following command:
+
+$ sudo grubby --update-kernel=ALL --args="vsyscall=none"
+
+Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
+
+GRUB_CMDLINE_LINUX="vsyscall=none"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000134-GPOS-00068
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002394
+          OL 9 must clear the page allocator to prevent use-after-free attacks.
+          <VulnDiscussion>Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001084
+          Configure OL 9 to enable page poisoning with the following commands:
+
+$ sudo grubby --update-kernel=ALL --args="page_poison=1"
+
+Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
+
+GRUB_CMDLINE_LINUX="page_poison=1"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000269-GPOS-00103
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002400
+          OL 9 systemd-journald service must be enabled.
+          <VulnDiscussion>In the event of a system failure, OL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001665
+          Configure OL 9 to enable the systemd-journald service with the following command:
+
+$ sudo systemctl enable --now systemd-journald
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000312-GPOS-00123
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002401
+          OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
+          <VulnDiscussion>By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
+
+Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002165
+          CCI-002235
+          Configure OL 9 to enable DAC on hardlinks with the following:
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+fs.protected_hardlinks = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000312-GPOS-00123
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002402
+          OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
+          <VulnDiscussion>By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
+
+Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002165
+          CCI-002235
+          Configure OL 9 to enable DAC on symlinks with the following:
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+fs.protected_symlinks = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000324-GPOS-00125
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002403
+          OL 9 debug-shell systemd service must be disabled.
+          <VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002235
+          Configure OL 9 to mask the debug-shell systemd service with the following command:
+
+$ sudo systemctl disable --now debug-shell.service
+$ sudo systemctl mask --now debug-shell.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000033-GPOS-00014
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002404
+          OL 9 IP tunnels must use 140-3 approved cryptographic algorithms.
+          <VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000068
+          Configure IPsec to use the systemwide cryptographic policy.
+
+Add the following line to "/etc/ipsec.conf":
+
+include /etc/crypto-policies/back-ends/libreswan.config
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000132-GPOS-00067
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002406
+          OL 9 must restrict access to the kernel message buffer.
+          <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
+
+There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
+
+Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
+
+Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001082
+          CCI-001090
+          Configure OL 9 to restrict access to the kernel message buffer.
+
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
+
+kernel.dmesg_restrict = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000132-GPOS-00067
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002407
+          OL 9 must prevent kernel profiling by nonprivileged users.
+          <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
+
+There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
+
+Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
+
+Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001082
+          CCI-001090
+          Configure OL 9 to prevent kernel profiling by nonprivileged users.
+
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
+
+kernel.perf_event_paranoid = 2
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000132-GPOS-00067
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002408
+          OL 9 must restrict exposed kernel pointer addresses access.
+          <VulnDiscussion>Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0".
+
+Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001082
+          CCI-002824
+          Configure OL 9 to prevent the leak of kernel pointers to unprivileged users.
+
+Add or edit the following line in /etc/sysctl.d/99-sysctl.conf system configuration file:
+
+kernel.kptr_restrict = 1
+
+Reload settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000132-GPOS-00067
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002409
+          OL 9 must disable access to network bpf system call from nonprivileged processes.
+          <VulnDiscussion>Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001082
+          Configure OL 9 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
+
+kernel.unprivileged_bpf_disabled = 1
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000132-GPOS-00067
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002410
+          OL 9 must restrict usage of ptrace to descendant processes.
+          <VulnDiscussion>Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001082
+          Configure OL 9 to restrict usage of ptrace to descendant processes by adding the following line to "/etc/sysctl.d/99-sysctl.conf":
+
+kernel.yama.ptrace_scope = 1
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000163-GPOS-00072
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002411
+          OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
+          <VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001133
+          CCI-000057
+          Configure OL 9 to exit interactive command shell user sessions after 15 minutes of inactivity.
+
+Add or edit the following line in "/etc/profile.d/tmout.sh":
+
+#!/bin/bash
+
+declare -xr TMOUT=900
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000324-GPOS-00125
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002412
+          OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
+          <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002235
+          Configure OL 9 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file:
+
+If no drop file exists, create one with the following command:
+
+$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction
+
+Edit the file to contain the setting by adding the following text:
+
+CtrlAltDelBurstAction=none
+
+Reload the daemon for this change to take effect.
+
+$ sudo systemctl daemon-reload
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000324-GPOS-00125
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002413
+          OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
+          <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002235
+          Configure OL 9 to disable the ctrl-alt-del.target with the following command:
+
+$ sudo systemctl disable --now ctrl-alt-del.target
+$ sudo systemctl mask --now ctrl-alt-del.target
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000027-GPOS-00008
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002415
+          OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
+          <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000054
+          Configure OL 9 to limit the number of concurrent sessions to "10" for all accounts and/or account types.
+
+Add the following line to the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/:
+
+* hard maxlogins 10
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000329-GPOS-00128
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002416
+          OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
+          <VulnDiscussion>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002238
+          CCI-000044
+          Configure OL 9 to lock out the "root" account after a number of incorrect login attempts within 15 minutes using "pam_faillock.so" by enabling the feature using the following command:
+ 
+$ sudo authselect enable-feature with-faillock  
+
+Then edit the "/etc/security/faillock.conf" file as follows:
+
+fail_interval = 900
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000329-GPOS-00128
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002417
+          OL 9 must maintain an account lock until the locked account is released by an administrator.
+          <VulnDiscussion>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002238
+          CCI-000044
+          Configure OL 9 to lock an account until released by an administrator after three unsuccessful logon attempts with the command:
+ 
+$ sudo authselect enable-feature with-faillock  
+
+Then edit the "/etc/security/faillock.conf" file as follows:
+
+unlock_time = 0
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002419
+          OL 9 file systems must not contain shosts.equiv files.
+          <VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove any found "shosts.equiv" files from the system.
+
+$ sudo rm /[path]/[to]/[file]/shosts.equiv
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002420
+          OL 9 file systems must not contain .shosts files.
+          <VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Remove any found ".shosts" files from the system.
+
+$ sudo rm /[path]/[to]/[file]/.shosts
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000423-GPOS-00187
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002421
+          OL 9 must implement DOD-approved encryption in the bind package.
+          <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 9 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-002418
+          CCI-002422
+          Configure BIND to use the system crypto policy.
+
+Add the following line to the "options" section in "/etc/named.conf":
+
+include "/etc/crypto-policies/back-ends/bind.config";
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000433-GPOS-00193
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002423
+          OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
+          <VulnDiscussion>ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002824
+          Configure OL 9 to implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+kernel.randomize_va_space = 2
+
+Reload settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002425
+          OL 9 must be configured to prevent unrestricted mail relaying.
+          <VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Modify the postfix configuration file to restrict client connections to the local network with the following command:
+
+$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000366-GPOS-00153
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002428
+          OL 9 must prevent the loading of a new kernel for later execution.
+          <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003992
+          Configure OL 9 to prevent the loading of a new kernel for later execution.
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+kernel.kexec_load_disabled = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002430
+          OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
+          <VulnDiscussion>When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
+
+net.core.bpf_jit_harden = 2
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002502
+          OL 9 SSH private host key files must have mode 0640 or less permissive.
+          <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
+
+$ sudo chmod 0640 /etc/ssh/ssh_host*key
+
+Restart the SSH daemon for the changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002503
+          OL 9 SSH public host key files must have mode 0644 or less permissive.
+          <VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
+
+$ sudo chmod 0644 /etc/ssh/*key.pub
+
+Restart the SSH daemon for the changes to take effect:
+
+$ sudo systemctl restart sshd.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002504
+          OL 9 system commands must be group-owned by root or a system account.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the system commands to be protected from unauthorized access.
+
+Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account.
+
+$ sudo chgrp root [FILE]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002505
+          OL 9 system commands must be owned by root.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the system commands to be protected from unauthorized access.
+
+Run the following command, replacing "[FILE]" with any system command file not owned by "root".
+
+$ sudo chown root [FILE]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002506
+          OL 9 system commands must have mode 755 or less permissive.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the system commands to be protected from unauthorized access.
+
+Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "755".
+
+$ sudo chmod 755 [FILE]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002507
+          OL 9 SSH server configuration file must be group-owned by root.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the "/etc/ssh/sshd_config" file to be group-owned by root with the following command:
+
+$ sudo chgrp root /etc/ssh/sshd_config
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002508
+          OL 9 SSH server configuration file must be owned by root.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the "/etc/ssh/sshd_config" file to be owned by root with the following command:
+
+$ sudo chown root /etc/ssh/sshd_config
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002509
+          OL 9 SSH server configuration file must have mode 0600 or less permissive.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the "/etc/ssh/sshd_config" permissions to be "0600" with the following command:
+
+$ sudo chmod 0600 /etc/ssh/sshd_config
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002513
+          OL 9 local initialization files must have mode 0740 or less permissive.
+          <VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Set the mode of the local initialization files to "0740" with the following command:
+
+Note: The example will be for the wadea user, who has a home directory of "/home/wadea".
+
+$ sudo chmod 0740 /home/wadea/.<INIT_FILE>
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002515
+          OL 9 local interactive user home directories must have mode 0750 or less permissive.
+          <VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user "wadea".
+
+$ sudo chmod 0750 /home/wadea
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002520
+          OL 9 library directories must be group-owned by root or a system account.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
+
+Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root".
+
+$ sudo chgrp root [DIRECTORY]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002521
+          OL 9 library directories must be owned by root.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
+
+Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root".
+
+$ sudo chown root [DIRECTORY]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002522
+          OL 9 library directories must have mode 755 or less permissive.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. 
+
+Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755.
+
+$ sudo chmod 755 [DIRECTORY]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002523
+          OL 9 library files must be group owned by root or a system account.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the OL 9 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command:
+
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002524
+          OL 9 library files must be owned by root.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command:
+
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000259-GPOS-00100
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002525
+          OL 9 library files must have mode 0755 or less permissive.
+          <VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001499
+          Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to have mode 0755 or less permissive with the following command:
+
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002530
+          OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
+          <VulnDiscussion>The "root" group is a highly privileged group. The group-owner of this file should not have any access privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /boot/grub2/grub.cfg to root by running the following command:
+
+$ sudo chgrp root /boot/grub2/grub.cfg
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002531
+          OL 9 /boot/grub2/grub.cfg file must be owned by root.
+          <VulnDiscussion>The "/boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /boot/grub2/grub.cfg to root by running the following command:
+
+$ sudo chown root /boot/grub2/grub.cfg
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002532
+          OL 9 /etc/group file must be group-owned by root.
+          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/group to root by running the following command:
+
+$ sudo chgrp root /etc/group
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002533
+          OL 9 /etc/group- file must be group-owned by root.
+          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/group- to root by running the following command:
+
+$ sudo chgrp root /etc/group-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002534
+          OL 9 /etc/group file must be owned by root.
+          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/group to root by running the following command:
+
+$ sudo chown root /etc/group
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002535
+          OL 9 /etc/group- file must be owned by root.
+          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/group- to root by running the following command:
+
+$ sudo chown root /etc/group-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002536
+          OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/group" to "0644" by running the following command:
+
+$ sudo chmod 0644 /etc/group
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002537
+          OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/group-" to "0644" by running the following command:
+
+$ sudo chmod 0644 /etc/group-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002538
+          OL 9 /etc/gshadow file must be group-owned by root.
+          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/gshadow to root by running the following command:
+
+$ sudo chgrp root /etc/gshadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002539
+          OL 9 /etc/gshadow- file must be group-owned by root.
+          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/gshadow- to root by running the following command:
+
+$ sudo chgrp root /etc/gshadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002540
+          OL 9 /etc/gshadow file must be owned by root.
+          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/gshadow to root by running the following command:
+
+$ sudo chown root /etc/gshadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002541
+          OL 9 /etc/gshadow- file must be owned by root.
+          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/gshadow- to root by running the following command:
+
+$ sudo chown root /etc/gshadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002542
+          OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/gshadow" to "0000" by running the following command:
+
+$ sudo chmod 0000 /etc/gshadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002543
+          OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/gshadow-" to "0000" by running the following command:
+
+$ sudo chmod 0000 /etc/gshadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002544
+          OL 9 /etc/passwd file must be group-owned by root.
+          <VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/passwd to root by running the following command:
+
+$ sudo chgrp root /etc/passwd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002545
+          OL 9 /etc/passwd- file must be group-owned by root.
+          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/passwd- to root by running the following command:
+
+$ sudo chgrp root /etc/passwd-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002546
+          OL 9 /etc/passwd file must be owned by root.
+          <VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/passwd to root by running the following command:
+
+$ sudo chown root /etc/passwd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002547
+          OL 9 /etc/passwd- file must be owned by root.
+          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/passwd- to root by running the following command:
+
+$ sudo chown root /etc/passwd-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002548
+          OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/passwd" to "0644" by running the following command:
+
+$ sudo chmod 0644 /etc/passwd
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002549
+          OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/passwd-" to "0644" by running the following command:
+
+$ sudo chmod 0644 /etc/passwd-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002550
+          OL 9 /etc/shadow file must be group-owned by root.
+          <VulnDiscussion>The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/shadow to root by running the following command:
+
+$ sudo chgrp root /etc/shadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002551
+          OL 9 /etc/shadow- file must be group-owned by root.
+          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the group of the file /etc/shadow- to root by running the following command:
+
+$ sudo chgrp root /etc/shadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002552
+          OL 9 /etc/shadow file must be owned by root.
+          <VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/shadow to root by running the following command:
+
+$ sudo chown root /etc/shadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002553
+          OL 9 /etc/shadow- file must be owned by root.
+          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the owner of the file /etc/shadow- to root by running the following command:
+
+$ sudo chown root /etc/shadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002554
+          OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/shadow-" to "0000" by running the following command:
+
+$ sudo chmod 0000 /etc/shadow-
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002555
+          OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
+          <VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the mode of the file "/etc/shadow" to "0000" by running the following command:
+
+$ sudo chmod 0000 /etc/shadow
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002560
+          OL 9 /var/log directory must be group-owned by root.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Configure the group owner of the directory "/var/log" to "root" by running the following command:
+
+$ sudo chgrp root /var/log
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002561
+          OL 9 /var/log directory must be owned by root.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Configure the owner of the directory "/var/log" to "root" by running the following command:
+
+$ sudo chown root /var/log
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002562
+          OL 9 /var/log directory must have mode 0755 or less permissive.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Configure the "/var/log" directory to a mode of "0755" by running the following command:
+
+$ sudo chmod 0755 /var/log
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002563
+          OL 9 /var/log/messages file must be group-owned by root.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Change the group owner of the "/var/log/messages" file to "root" by running the following command:
+
+$ sudo chgrp root /var/log/messages
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002564
+          OL 9 /var/log/messages file must be owned by root.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Change the owner of the "/var/log/messages" file to "root" by running the following command:
+
+$ sudo chown root /var/log/messages
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000206-GPOS-00084
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002565
+          OL 9 /var/log/messages file must have mode 0640 or less permissive.
+          <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001314
+          Configure the "/var/log/messages" file to have a mode of "0640" by running the following command:
+
+$ sudo chmod 0640 /var/log/messages
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000256-GPOS-00097
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002570
+          OL 9 audit tools must be group-owned by root.
+          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001493
+          Configure the audit tools to be group-owned by "root" by running the following command:
+
+$ sudo chgrp root [audit_tool]
+
+Replace "[audit_tool]" with each audit tool not group-owned by "root".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000256-GPOS-00097
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002571
+          OL 9 audit tools must be owned by root.
+          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001493
+          Configure the audit tools to be owned by "root" by running the following command:
+
+$ sudo chown root [audit_tool]
+
+Replace "[audit_tool]" with each audit tool not owned by "root".
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000256-GPOS-00097
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002572
+          OL 9 audit tools must have a mode of 0755 or less permissive.
+          <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001493
+          Configure the audit tools to have a mode of "0755" by running the following command:
+
+$ sudo chmod 0755 [audit_tool]
+
+Replace "[audit_tool]" with each audit tool that has a more permissive mode than 0755.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002580
+          OL 9 cron configuration directories must have a mode of 0700 or less permissive.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure any OL 9 cron configuration directory with a mode more permissive than "0700" as follows:
+
+$ sudo chmod 0700 [cron configuration directory]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002581
+          OL 9 cron configuration files directory must be group-owned by root.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure any cron configuration not group-owned by root with the following command:
+
+$ sudo chgrp root [cron config file]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002582
+          OL 9 cron configuration files directory must be owned by root.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure any cron configuration not owned by root with the following command:
+
+$ sudo chown root [cron config file]
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002583
+          OL 9 /etc/crontab file must have mode 0600.
+          <VulnDiscussion>Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the OL 9 file /etc/crontab with mode 600.
+
+$ sudo chmod 0600 /etc/crontab
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003000
+          OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
+          <VulnDiscussion>An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Change the UID of any account on the system, other than root, that has a UID of "0". 
+
+If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000104-GPOS-00051
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003001
+          OL 9 duplicate User IDs (UIDs) must not exist for interactive users.
+          <VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000764
+          CCI-000804
+          CCI-000135
+          Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003002
+          OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
+          <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Create and assign home directories to all local interactive users on OL 9 that currently do not have a home directory assigned.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000104-GPOS-00051
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003005
+          OL 9 interactive users must have a primary group that exists.
+          <VulnDiscussion>If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000764
+          Configure the system so that all GIDs are referenced in "/etc/passwd" are defined in "/etc/group".
+
+Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000104-GPOS-00051
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003006
+          OL 9 groups must have unique Group ID (GID).
+          <VulnDiscussion>To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000764
+          Edit the file "/etc/group" and provide each group that has a duplicate GID with a unique GID.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000021-GPOS-00005
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003010
+          OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
+          <VulnDiscussion>Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000044
+          Configure OL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.
+
+Create a nondefault faillock tally directory (if it does not already exist) with the following example:
+
+$ sudo mkdir /var/log/faillock
+
+Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:
+
+$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"
+
+Update the context type of the nondefault faillock directory/subdirectories and files with the following command:
+
+$ sudo restorecon -R -v /var/log/faillock
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000329-GPOS-00128
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003020
+          OL 9 must automatically lock an account when three unsuccessful logon attempts occur.
+          <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002238
+          CCI-000044
+          Configure OL 9 to lock an account when three unsuccessful logon attempts occur.
+
+Add/modify the "/etc/security/faillock.conf" file to match the following line:
+
+deny = 3
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000329-GPOS-00128
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003021
+          OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
+          <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002238
+          CCI-000044
+          Configure OL 9 to lock out the "root" account after a number of incorrect login attempts using "pam_faillock.so", first enable the feature using the following command:
+ 
+$ sudo authselect enable-feature with-faillock  
+
+Then edit the "/etc/security/faillock.conf" file as follows:
+ 
+  add or uncomment the following line:
+ even_deny_root
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000021-GPOS-00005
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003022
+          OL 9 must log username information when unsuccessful logon attempts occur.
+          <VulnDiscussion>Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000044
+          Configure OL 9 to log username information when unsuccessful logon attempts occur.
+
+Add/modify the "/etc/security/faillock.conf" file to match the following line:
+
+audit
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000021-GPOS-00005
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003023
+          OL 9 must ensure account lockouts persist.
+          <VulnDiscussion>Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000044
+          Configure OL 9 maintain the contents of the faillock directory after a reboot.
+
+Add/modify the "/etc/security/faillock.conf" file to match the following line:
+
+dir = /var/log/faillock
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003051
+          OL 9 system accounts must not have an interactive login shell.
+          <VulnDiscussion>Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.
+
+If the system account needs a shell assigned for mission operations, document the need with the ISSO.
+
+Run the following command to disable the interactive shell for a specific noninteractive user account:
+
+Replace <user> with the user that has a login shell.
+
+$ sudo usermod --shell /sbin/nologin <user>
+
+Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003052
+          OL 9 local interactive user accounts must be assigned a home directory upon creation.
+          <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
+
+CREATE_HOME yes
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000118-GPOS-00060
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003065
+          OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
+          <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
+
+Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
+
+Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+
+Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-003627
+          CCI-003628
+          Configure OL 9 to disable account identifiers after 35 days of inactivity after the password expiration. 
+
+Run the following command to change the configuration for useradd:
+
+$ sudo useradd -D -f 35
+
+The recommendation is 35 days, but a lower value is acceptable.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00226
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-003070
+          OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
+          <VulnDiscussion>Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the OL 9 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
+
+Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to 4 or greater:
+
+FAIL_DELAY 4
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000032-GPOS-00013
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005000
+          OL 9 remote access methods must be monitored.
+          <VulnDiscussion>Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000067
+          Configure OL 9 remote access methods to be monitored.
+
+Add or update the following lines to the "/etc/rsyslog.conf" file:
+
+auth.*;authpriv.*;daemon.* /var/log/secure
+
+The "rsyslog" service must be restarted for the changes to take effect with the following command:
+
+$ sudo systemctl restart rsyslog.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000479-GPOS-00224
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005005
+          OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
+          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Offloading is a common process in information systems with limited audit storage capacity.
+
+OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.
+
+Examples of each configuration:
+UDP *.* @remotesystemname
+TCP *.* @@remotesystemname
+RELP *.* :omrelp:remotesystemname:2514
+Note that a port number was given as there is no standard port for RELP.
+
+Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to offload audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf"" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server.
+
+*.* @@[remoteloggingserver]:[port]"
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005015
+          OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
+          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Offloading is a common process in information systems with limited audit storage capacity.
+
+OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+"Rsyslog" supported authentication modes include:
+anon - anonymous authentication
+x509/fingerprint - certificate fingerprint authentication
+x509/certvalid - certificate validation only
+x509/name - certificate validation and subject name authentication
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
+
+$ActionSendStreamDriverAuthMode x509/name
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005020
+          OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Offloading is a common process in information systems with limited audit storage capacity.
+
+OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+"Rsyslog" supported authentication modes include:
+anon - anonymous authentication
+x509/fingerprint - certificate fingerprint authentication
+x509/certvalid - certificate validation only
+x509/name - certificate validation and subject name authentication
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to encrypt offloaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
+
+$ActionSendStreamDriverMode 1
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000342-GPOS-00133
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005025
+          OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+          <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Offloading is a common process in information systems with limited audit storage capacity.
+
+OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001851
+          Configure OL 9 to use the gtls driver to encrypt offloaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
+
+$DefaultNetstreamDriver gtls
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-005030
+          OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
+          <VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
+
+If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not receive remote logs using rsyslog.
+
+Remove the lines in /etc/rsyslog.conf and any files in the /etc/rsyslog.d directory that match any of the following:
+InputTCPServerRun
+UDPServerRun
+RELPServerRun
+module(load="imtcp")
+module(load="imudp")
+module(load="imrelp")
+input(type="imudp" port="514")
+input(type="imtcp" port="514")
+input(type="imrelp" port="514")
+
+The rsyslog daemon must be restarted for the changes to take effect:
+
+$ sudo systemctl restart rsyslog.service
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000420-GPOS-00186
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006000
+          OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
+          <VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+
+This requirement addresses the configuration of OL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002385
+          Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf":
+
+FirewallBackend=nftables
+
+Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006002
+          OL 9 must configure a DNS processing mode set be Network Manager.
+          <VulnDiscussion>To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure NetworkManager in OL 9 to use a DNS mode.
+
+In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
+
+dns = none
+
+NetworkManager must be reloaded for the change to take effect.
+
+$ sudo systemctl reload NetworkManager
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006003
+          OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
+          <VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure the operating system to use two or more name servers for DNS resolution based on the DNS mode of the system.
+
+If the NetworkManager DNS mode is set to "none", then add the following lines to "/etc/resolv.conf":
+
+nameserver [name server 1]
+nameserver [name server 2]
+
+Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers.
+
+If the NetworkManager DNS mode is set to "default" then add two DNS servers to a NetworkManager connection. Using the following commands:
+
+$ sudo nmcli connection modify [connection name] ipv4.dns [name server 1]
+$ sudo nmcli connection modify [connection name] ipv4.dns [name server 2]
+
+Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace ipv4 with ipv6 if IPv6 DNS servers are used.
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006004
+          OL 9 network interfaces must not be in promiscuous mode.
+          <VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.
+
+If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
+
+Set the promiscuous mode of an interface to off with the following command:
+
+$ sudo ip link set dev <devicename> multicast off promisc off
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006020
+          OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
+          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+
+This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to ignore IPv4 ICMP redirect messages.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.accept_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006021
+          OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
+          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
+
+Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to ignore IPv4 source-routed packets.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.accept_source_route = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006022
+          OL 9 must log IPv4 packets with impossible addresses.
+          <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to log martian packets on IPv4 interfaces.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.log_martians=1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006023
+          OL 9 must log IPv4 packets with impossible addresses by default.
+          <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to log martian packets on IPv4 interfaces by default.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.default.log_martians=1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006024
+          OL 9 must use reverse path filtering on all IPv4 interfaces.
+          <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to use reverse path filtering on all IPv4 interfaces. 
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.rp_filter = 1
+
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006025
+          OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+
+This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to prevent IPv4 ICMP redirect messages from being accepted.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.default.accept_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006026
+          OL 9 must not forward IPv4 source-routed packets by default.
+          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
+
+Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not forward IPv4 source-routed packets by default.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.default.accept_source_route = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006027
+          OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
+          <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to use reverse path filtering on IPv4 interfaces by default.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.default.rp_filter = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006028
+          OL 9 must not enable IPv4 packet forwarding unless the system is a router.
+          <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not allow IPv4 packet forwarding unless the system is a router.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.forwarding = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006030
+          OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
+          <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
+
+Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006031
+          OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
+          <VulnDiscussion>Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not log bogus ICMP errors: 
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006032
+          OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
+          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
+
+The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.all.send_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006033
+          OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
+          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
+
+The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000366
+          Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects by default.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv4.conf.default.send_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006040
+          OL 9 must not accept router advertisements on all IPv6 interfaces.
+          <VulnDiscussion>An illicit router advertisement message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.all.accept_ra = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006041
+          OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
+          <VulnDiscussion>An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to ignore IPv6 ICMP redirect messages.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.all.accept_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006042
+          OL 9 must not forward IPv6 source-routed packets.
+          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to not forward IPv6 source-routed packets.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.all.accept_source_route = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006043
+          OL 9 must not enable IPv6 packet forwarding unless the system is a router.
+          <VulnDiscussion>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to not allow IPv6 packet forwarding unless the system is a router.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.all.forwarding = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006044
+          OL 9 must not accept router advertisements on all IPv6 interfaces by default.
+          <VulnDiscussion>An illicit router advertisement message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.default.accept_ra = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006045
+          OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+          <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to prevent IPv6 ICMP redirect messages from being accepted.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.default.accept_redirects = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000480-GPOS-00227
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006046
+          OL 9 must not forward IPv6 source-routed packets by default.
+          <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          
+          CCI-000366
+          Configure OL 9 to not forward IPv6 source-routed packets by default.
+
+Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
+
+net.ipv6.conf.default.accept_source_route = 0
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000420-GPOS-00186
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-006050
+          OL 9 must be configured to use TCP syncookies.
+          <VulnDiscussion>Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 
+
+Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
+
+Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-002385
+          CCI-001095
+          Configure OL 9 to use TCP syncookies.
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+ net.ipv4.tcp_syncookies = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000462-GPOS-00206
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-008000
+          OL 9 audit system must protect logon UIDs from unauthorized change.
+          <VulnDiscussion>If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
+
+Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000172
+          CCI-000162
+          CCI-000163
+          CCI-000164
+          Configure OL 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:
+
+--loginuid-immutable
+
+The audit daemon must be restarted for the changes to take effect.
+
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000057-GPOS-00027
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-008005
+          OL 9 audit system must protect auditing rules from unauthorized change.
+          <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 9 system activity.
+
+In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable, and a system administrator could then investigate the unauthorized changes.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000162
+          CCI-000163
+          CCI-000164
+          Configure the audit system to set the audit rules to be immutable by adding the following line to end of "/etc/audit/rules.d/audit.rules"
+
+-e 2
+
+The audit daemon must be restarted for the changes to take effect.
+
+$ sudo service auditd restart
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000037-GPOS-00015
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002584
+          OL 9 must audit any script or executable called by cron as root or by any privileged user.
+          <VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 0755 or more restrictive, and should have no extended rights that allow any nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-000130
+          CCI-000135
+          CCI-000169
+          CCI-000172
+          CCI-002884
+          Configure OL 9 to audit the execution of any system call made by cron as root or as any privileged user.
+
+Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
+
+auditctl -w /etc/cron.d/ -p wa -k cronjobs
+auditctl -w /var/spool/cron/ -p wa -k cronjobs
+
+To load the rules to the kernel immediately, use the following command:
+
+$ sudo augenrules --load
+          
+          
+            
+          
+        
+      
+      
+        SRG-OS-000163-GPOS-00072
+        <GroupDescription></GroupDescription>
+        
+          OL09-00-002376
+          OL 9 must terminate idle user sessions.
+          <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+          
+            DPMS Target Oracle Linux 9
+            DISA
+            DPMS Target
+            Oracle Linux 9
+            5680
+          
+          CCI-001134
+          Configure OL 9 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:
+
+StopIdleSessionSec=600
+
+The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command:
+
+$ sudo systemctl restart systemd-logind
+          
+          
+            
+          
+        
+      
+    
+  
+  
+    
+      
+        Security Content Tool 1.7.0
+        5.11
+        2026-01-05T02:26:46
+      
+      
+        
+          
+            The operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system shadow password suite must be configured to use a sufficient number of hashing rounds.
+            
+          
+          
+            
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use a Linux Security Module configured to enforce limits on system services.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must have policycoreutils package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log/messages file must have mode 0640 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log/messages file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log/messages file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log directory must have mode 0755 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log directory must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /var/log directory must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system library files must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system library files must be group-owned by root or a system account.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent the loading of a new kernel for later execution.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must require users to provide a password for privilege escalation.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must have the packages required for multifactor authentication installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must clear the page allocator to prevent use-after-free attacks.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable virtual syscalls.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            YUM must remove all software components after updated versions have been installed on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable the SELinux targeted policy.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            There must be no shosts.equiv files on the operating system operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            There must be no .shosts files on the operating system operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH public host key files must have mode 0644 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH private host key files must have mode 0640 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must perform strict mode checking of home directory configuration files.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use a separate file system for /var.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must use a separate file system for the system audit data path.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            A separate the operating system filesystem must be used for the /tmp directory.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must not permit direct logons to the root account using remote access via SSH.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent special devices on non-root local partitions.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent code from being executed on file systems that are imported via Network File System (NFS).
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent special devices on file systems that are imported via Network File System (NFS).
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable kernel dumps unless needed.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must disable the kernel.core_pattern.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable acquiring, saving, and processing core dumps.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable core dumps for all users.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable storing core dumps.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable core dump backtraces.
+            
+          
+          
+            
+          
+        
+        
+          
+            For Systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
+            
+          
+          
+            
+            
+              
+              
+              
+            
+          
+        
+        
+          
+            All the operating system local interactive user accounts must be assigned a home directory upon creation.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system local initialization files must have mode 0740 or less permissive.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            A separate operating system filesystem must be used for user home directories (such as /home or an equivalent).
+            
+          
+          
+            
+          
+        
+        
+          
+            Unattended or automatic logon via the operating system graphical user interface must not be allowed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must automatically lock an account when three unsuccessful logon attempts occur.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ensure account lockouts persist
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must log user name information when unsuccessful logon attempts occur.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ensure the password complexity module is enabled in the password-auth file.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enforce password complexity by requiring that at least one uppercase character be used.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enforce password complexity by requiring that at least one lower-case character be used.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enforce password complexity by requiring that at least one numeric character be used.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require the maximum number of repeating characters be limited to three when passwords are changed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require the change of at least four character classes when passwords are changed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require the change of at least 8 characters when passwords are changed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system passwords must have a minimum of 15 characters.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system passwords must contain at least one special character.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prohibit the use of cached authentications after one day.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent the use of dictionary words for passwords.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            The operating system System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system System must take appropriate action when an audit processing failure occurs.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must take appropriate action when the audit storage volume is full.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must audit local events.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must label all off-loaded audit logs before sending them to the central log server.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must resolve audit information before writing to disk.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit logs must be group-owned by root to prevent unauthorized read access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit log directory must be owned by root to prevent unauthorized read access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must protect auditing rules from unauthorized change.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must protect logon UIDs from unauthorized change.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit package must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the su command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
+            
+          
+          
+            
+            
+            
+            
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chage command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chcon command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the ssh-agent in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the passwd command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the mount command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the umount command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the unix_update in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of postdrop in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of postqueue in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of semanage in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of setfiles in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of userhelper in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of setsebool in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of unix_chkpwd in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the ssh-keysign in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the setfacl command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the pam_timestamp_check command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the newgrp command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the init_module and finit_module system calls in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the gpasswd command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the delete_module command in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the crontab command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chsh command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the sudo command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the usermod command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the chacl command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the kmod command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful modifications to the lastlog file in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable auditing of processes that start prior to the audit daemon.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must enable Linux audit logging for the USBGuard daemon.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system audit tools must have a mode of 0755 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit tools must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit tools must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
+            
+          
+          
+            
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            The operating system must have the packages required for offloading audit logs installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the packages required for encrypting offloaded audit logs installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must take appropriate action when the internal event queue is full.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable the chrony daemon from acting as a server.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable network management of the chrony daemon.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not have the telnet-server package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not have the sendmail package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable mitigations against processor-based vulnerabilities.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable the transparent inter-process communication (TIPC) protocol.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable mounting of cramfs.
+            
+          
+          
+            
+              
+              
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system file system automounter must be disabled unless required.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be configured to disable USB mass storage.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            A firewall must be installed on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system Bluetooth must be disabled.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /dev/shm with the nodev option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /dev/shm with the nosuid option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /dev/shm with the noexec option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /tmp with the nodev option.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must mount /tmp with the nosuid option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log with the nodev option.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log with the nosuid option.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log with the noexec option.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log/audit with the nodev option.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log/audit with the nosuid option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/log/audit with the noexec option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/tmp with the nodev option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/tmp with the nosuid option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must mount /var/tmp with the noexec option.
+            
+          
+          
+            
+          
+        
+        
+          
+            A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system can implement rate-limiting measures on impacted network interfaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must force a frequent session key renegotiation for SSH connections to the server.
+            
+          
+          
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The x86 Ctrl-Alt-Delete key sequence must be disabled on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The debug-shell systemd service must be disabled on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for the operating system operational support.
+            
+          
+          
+            
+          
+        
+        
+          
+            The root account must be the only account having unrestricted access to the operating system system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must restrict usage of ptrace to descendant processes.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be configured to prevent unrestricted mail relaying.
+            
+          
+          
+            
+          
+        
+        
+          
+            The graphical display manager must not be installed on the operating system unless approved.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system network interfaces must not be in promiscuous mode.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
+            
+          
+          
+            
+          
+        
+        
+          
+            The iprutils package must not be installed unless mission essential on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The tuned package must not be installed unless mission essential on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system operating system must log SSH connection attempts and failures to the server.
+            
+          
+          
+            
+          
+        
+        
+          
+            The systemd Ctrl-Alt-Delete burst key sequence in the operating system must be disabled.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use the invoking user's password for privilege escalation when using "sudo".
+            
+          
+          
+            
+              
+              
+              
+            
+            
+              
+              
+              
+              
+            
+          
+        
+        
+          
+            The operating system must require re-authentication when using the "sudo" command.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must generate audit records for the use and modification of the tallylog file.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must display a banner before granting local or remote access to the system via a graphical user logon.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system operating systems must require authentication upon booting into emergency mode.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must be configured to use system-wide crypto policies.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the packages required to use the hardware random number generator entropy gatherer service.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
+            
+          
+          
+            
+              
+              
+            
+            
+          
+        
+        
+          
+            The operating system must use a separate file system for /var/tmp.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must not allow blank or null passwords in the system-auth file.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not allow blank or null passwords in the password-auth file.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system fapolicy module must be enabled.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system networked systems must have openssh-server package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable kernel parameters to enforce discretionary access control on symlinks.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must restrict access to the kernel message buffer.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent kernel profiling by unprivileged users.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "rmdir" command in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must not forward IPv6 source-routed packets by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system operating system must not have accounts configured with blank or null passwords.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ensure the password complexity module is enabled in the system-auth file.
+            
+          
+          
+            
+          
+        
+        
+          
+            Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
+            
+          
+          
+            
+          
+        
+        
+          
+            The graphical display manager must not be the default target on the operating system unless approved.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "rename" command in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "renameat" command in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "unlink" command in the operating system must generate an audit record
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "unlinkat" command in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system audit system must be configured to audit any usage of the "fsetxattr" system call.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            The operating system audit system must be configured to audit any usage of the "lsetxattr" system call.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the fremovexattr system call in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "lremovexattr" system call in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the "removexattr" system call in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+            
+            
+          
+        
+        
+          
+            The system must terminate idle user sessions.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable the hardware random number generator entropy gatherer service.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system systemd-journald service must be enabled.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require a boot loader superuser password.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable the ability of systemd to spawn an interactive boot process.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system /boot/grub2/grub.cfg file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /boot/grub2/grub.cfg file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must restrict exposed kernel pointer addresses access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable the asynchronous transfer mode (ATM) protocol.
+            
+          
+          
+            
+              
+              
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system must disable the controller area network (CAN) protocol.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable IEEE 1394 (FireWire) Support.
+            
+          
+          
+            
+              
+              
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system must disable the stream control transmission protocol (SCTP).
+            
+          
+          
+            
+              
+              
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system must check the GPG signature of software packages originating from external software repositories before installation.
+            
+          
+          
+            
+          
+        
+        
+          
+            A File Transfer Protocol (FTP) server package must not be installed unless mission essential on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not have the nfs-utils package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The gssproxy package must not be installed unless mission essential on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not have the quagga package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the gnutls-utils package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the nss-tools package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the s-nail package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use a separate file system for /var/log.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent device files from being interpreted on file systems that contain user home directories.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent code from being executed on file systems that contain user home directories.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must mount /boot with the nodev option.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must mount /tmp with the noexec option.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must mount /var with the nodev option.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system cron configuration directories must have a mode of 0700 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system local interactive user home directories must have mode 0750 or less permissive.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group- file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/group- file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow- file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/gshadow- file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd- file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/passwd- file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow- file must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow- file must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system cron configuration files directory must be owned by root.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system cron configuration files directory must be group-owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/crontab file must have mode 0600.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/shadow file must have mode 0000 to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            A firewall must be active on the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the chrony package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system chronyd service must be enabled.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must configure a DNS processing mode set be Network Manager.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system libreswan package must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the openssh-clients package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system SSHD must accept public key authentication.
+            
+          
+          
+            
+              
+              
+            
+            
+          
+        
+        
+          
+            The operating system SSHD must not allow blank passwords.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable the Pluggable Authentication Module (PAM) interface for SSHD.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
+            
+          
+          
+            
+              
+              
+                
+                
+              
+            
+            
+          
+        
+        
+          
+            The operating system must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not allow a noncertificate trusted host SSH logon to the system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must be configured with a timeout interval.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH server configuration file must be group-owned by root.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system SSH server configuration file must be owned by root.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system SSH server configuration file must have mode 0600 or less permissive.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
+            
+          
+          
+            
+              
+              
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system SSH daemon must not allow rhosts authentication.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH daemon must not allow authentication using known host's authentication.
+            
+          
+          
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system must display the date and time of the last successful account logon upon an SSH logon.
+            
+          
+          
+            
+              
+              
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable the graphical user interface automount function unless required.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the disabling of the graphical user interface automount function.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the disabling of the graphical user interface autorun function.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the disabling of the graphical user smart card removal action.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the session lock-delay setting for the graphical user interface.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable the ability of a user to restart the system from the login screen.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the USBGuard installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the USBGuard package enabled.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system duplicate User IDs (UIDs) must not exist for interactive users.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system system accounts must not have an interactive login shell.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system interactive users must have a primary group that exists.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system local interactive users must have a home directory assigned in the /etc/passwd file.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system groups must have unique Group ID (GID).
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must define default permissions for the bash shell.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must define default permissions for the c shell.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must define default permissions for the system default profile.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must configure SELinux context type to allow the use of a nondefault faillock tally directory.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system policycoreutils-python-utils package must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the sudo package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must require users to reauthenticate for privilege escalation.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must restrict privilege elevation to authorized personnel.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must restrict the use of the "su" command.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system fapolicy module must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system password-auth must be configured to use a sufficient number of hashing rounds.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system system-auth must be configured to use a sufficient number of hashing rounds.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enforce password complexity rules for the root account.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system operating system must not be configured to bypass password requirements for privilege escalation.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use the CAC smart card driver.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable certificate based smart card authentication.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must implement certificate status checking for multifactor authentication.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the pcsc-lite package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The pcscd service on the operating system must be active.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the opensc package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system operating systems must require authentication upon booting into rescue mode.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system operating system must use a file integrity tool to verify correct operation of all security functions.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The rsyslog service must be running in the operating system.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
+            
+          
+          
+            
+          
+        
+        
+          
+            All the operating system remote access methods must be monitored.
+            
+          
+          
+            
+            
+            
+          
+        
+        
+          
+            The operating system must be configured to offload audit records onto a different system from the system being audited via syslog.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit records must be off-loaded onto a different system or storage media from the system being audited.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system audit service must be enabled.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audit system must take appropriate action when the audit files have reached maximum size.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must periodically flush audit records to disk to prevent the loss of audit records.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must write audit records to disk.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system audispd-plugins package must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the init command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the poweroff command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the reboot command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the shutdown command in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the umount system call in the operating system must generate an audit record.
+            
+          
+          
+            
+          
+        
+        
+          
+            Successful/unsuccessful uses of the umount2 system call in the operating system must generate an audit record.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must take appropriate action when a critical audit processing failure occurs.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
+            
+          
+          
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            The operating system must have the crypto-policies package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must implement DOD-approved encryption in the bind package.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system library directories must have mode 0755 or less permissive.
+            
+          
+          
+            
+            
+            
+            
+            
+          
+        
+        
+          
+            The operating system SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be a vendor supported release.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable FIPS mode.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must have the SSSD package installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use the SSSD package for multifactor authentication services.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system oracle-linux-manager package must be installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not allow users to override SSH environment variables.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must disable the use of user namespaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must clear SLUB/SLAB objects to prevent use-after-free attacks.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must disable access to network bpf system call from nonprivileged processes.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system system commands must be group-owned by root or a system account.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system system commands must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system system commands must have mode 755 or less permissive.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system library directories must be group-owned by root or a system account.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system library directories must be owned by root.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system library directories must have mode 755 or less permissive.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The operating system must authenticate the remote logging server for offloading audit logs via rsyslog.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv4 source-routed packets.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must log IPv4 packets with impossible addresses.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must log IPv4 packets with impossible addresses by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use reverse path filtering on all IPv4 interfaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv4 source-routed packets by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must use a reverse-path filter for IPv4 network traffic, when possible, by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not enable IPv4 packet forwarding unless the system is a router.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not send Internet Control Message Protocol (ICMP) redirects.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not accept router advertisements on all IPv6 interfaces.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not forward IPv6 source-routed packets.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not enable IPv6 packet forwarding unless the system is a router.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must not accept router advertisements on all IPv6 interfaces by default.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must be configured to use TCP syncookies.
+            
+          
+          
+            
+          
+        
+        
+          
+            The operating system must audit any script or executable called by cron as root or by any privileged user.
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            The autofs package is installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The system has nfs entries in /etc/fstab
+            
+          
+          
+            
+          
+        
+        
+          
+            The postifx package is installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The Trivial File Transfer Protocol (TFTP) server package is installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The libreswan package is installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            The system has BIND installed.
+            
+          
+          
+            
+          
+        
+        
+          
+            Gnome is installed
+            
+              Linux Systems
+            
+            
+          
+          
+            
+            
+          
+        
+        
+          
+            Linux United Extensible Firmware Interface (UEFI)
+            
+              Linux Systems
+            
+            
+          
+          
+            
+          
+        
+        
+          
+            IPv6 is disabled in the kernel.
+            
+              Linux Systems
+            
+            IPv6 is disabled in the kernel, either via a kernel cmdline option or sysctl.
+          
+          
+            
+              
+              
+            
+            
+          
+        
+        
+          
+            Linux UEFI Boot Partition Not VFAT File Type
+            
+              Linux Systems
+            
+            
+          
+          
+            
+            
+              
+              
+            
+          
+        
+        
+          
+            OL09-00-000002 - OL 9 must use a separate file system for the system audit data path.
+            
+              Oracle Linux 9
+            
+            Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000003 - OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
+            
+              Oracle Linux 9
+            
+            Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000004 - OL 9 must use a separate file system for /tmp.
+            
+              Oracle Linux 9
+            
+            The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000005 - OL 9 must use a separate file system for /var.
+            
+              Oracle Linux 9
+            
+            Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000006 - OL 9 must use a separate file system for /var/log.
+            
+              Oracle Linux 9
+            
+            Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000007 - OL 9 must use a separate file system for /var/tmp.
+            
+              Oracle Linux 9
+            
+            The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000010 - OL 9 must be a vendor supported release.
+            
+              Oracle Linux 9
+            
+            An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
+
+	Oracle offers Oracle Linux Premier Support, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000020 - OL 9 must be configured so that the graphical display manager is not the default target unless approved.
+            
+              Oracle Linux 9
+            
+            Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000025 - OL 9 must require authentication to access emergency mode.
+            
+              Oracle Linux 9
+            
+            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+	This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000030 - OL 9 must require authentication to access single-user mode.
+            
+              Oracle Linux 9
+            
+            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+	This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000040 - OL 9 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module.
+            
+              Oracle Linux 9
+            
+            Disabling ATM protects the system against exploitation of any flaws in its implementation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000041 - OL 9 must be configured to disable the Controller Area Network (CAN) kernel module.
+            
+              Oracle Linux 9
+            
+            Disabling CAN protects the system against exploitation of any flaws in its implementation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000042 - OL 9 must be configured to disable the FireWire kernel module.
+            
+              Oracle Linux 9
+            
+            Disabling firewire protects the system against exploitation of any flaws in its implementation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000043 - OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Failing to disconnect unused protocols can result in a system compromise.
+
+	The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000044 - OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Failing to disconnect unused protocols can result in a system compromise.
+
+	The TIPC is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free, and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000045 - OL 9 must disable mounting of cramfs.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Removing support for unneeded filesystem types reduces the local attack surface of the server.
+
+	Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000046 - OL 9 Bluetooth must be disabled.
+            
+              Oracle Linux 9
+            
+            This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
+
+	Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000047 - OL 9 must be configured to disable USB mass storage.
+            
+              Oracle Linux 9
+            
+            USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000060 - OL 9 must use a Linux Security Module configured to enforce limits on system services.
+            
+              Oracle Linux 9
+            
+            Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+	This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
+
+	Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000065 - OL 9 must enable the SELinux targeted policy.
+            
+              Oracle Linux 9
+            
+            Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
+
+	Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000070 - OL 9 must enable FIPS mode.
+            
+              Oracle Linux 9
+            
+            Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
+
+	Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000100 - OL 9 must not have the nfs-utils package installed.
+            
+              Oracle Linux 9
+            
+            "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000110 - OL 9 must not have the telnet-server package installed.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
+
+	The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
+
+	Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000115 - OL 9 must not have the gssproxy package installed.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+	The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000120 - OL 9 must not have the iprutils package installed.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+	The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000125 - OL 9 must not have the tuned package installed.
+            
+              Oracle Linux 9
+            
+            It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+	Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+	The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000130 - OL 9 must not have a File Transfer Protocol (FTP) server package installed.
+            
+              Oracle Linux 9
+            
+            The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
+
+	Removing the "vsftpd" package decreases the risk of accidental activation.
+
+	Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000135 - OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
+            
+              Oracle Linux 9
+            
+            Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
+
+	If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000140 - OL 9 must not have the quagga package installed.
+            
+              Oracle Linux 9
+            
+            Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms.
+
+	If there is no need to make the router software available, removing it provides a safeguard against its activation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000145 - OL 9 must not have a graphical display manager installed unless approved.
+            
+              Oracle Linux 9
+            
+            Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000150 - OL 9 must not have the sendmail package installed.
+            
+              Oracle Linux 9
+            
+            The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000200 - OL 9 must have policycoreutils package installed.
+            
+              Oracle Linux 9
+            
+            Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+	Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000210 - OL 9 policycoreutils-python-utils package must be installed.
+            
+              Oracle Linux 9
+            
+            The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000220 - OL 9 must have the firewalld package installed.
+            
+              Oracle Linux 9
+            
+            Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
+
+	Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	OL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
+	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000221 - OL 9 must be configured so that the firewalld service is active.
+            
+              Oracle Linux 9
+            
+            Firewalld provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
+
+	Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	OL 9 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
+	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000230 - OL 9 must have the sudo package installed.
+            
+              Oracle Linux 9
+            
+            sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to complete their work.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000231 - OL 9 must use the invoking user's password for privilege escalation when using sudo.
+            
+              Oracle Linux 9
+            
+            If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000232 - OL 9 must restrict privilege elevation to authorized personnel.
+            
+              Oracle Linux 9
+            
+            If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000240 - OL 9 must have the crypto-policies package installed.
+            
+              Oracle Linux 9
+            
+            Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+	Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000250 - OL 9 networked systems must have SSH installed.
+            
+              Oracle Linux 9
+            
+            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000251 - OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
+            
+              Oracle Linux 9
+            
+            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000252 - The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000254 - OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000255 - OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000256 - OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
+            
+              Oracle Linux 9
+            
+            The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
+
+	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000260 - OL 9 must have the openssh-clients package installed.
+            
+              Oracle Linux 9
+            
+            This package includes utilities to make encrypted connections and transfer files securely to SSH servers.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000261 - OL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000262 - OL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000270 - OL 9 must have the openssl-pkcs11 package installed.
+            
+              Oracle Linux 9
+            
+            Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+	Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000285 - OL 9 must have the SSSD package installed.
+            
+              Oracle Linux 9
+            
+            Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
+	 
+	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
+	 
+	A privileged account is defined as an information system account with authorizations of a privileged user. 
+	 
+	Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. 
+	 
+	This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+	Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000286 - OL 9 must use the SSSD package for multifactor authentication services.
+            
+              Oracle Linux 9
+            
+            Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
+	 
+	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD Common Access Card. 
+	 
+	A privileged account is defined as an information system account with authorizations of a privileged user. 
+	 
+	Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. 
+	 
+	Multifactor authentication requires using two or more factors to achieve authentication. 
+	 
+	Factors include:  
+	1) Something a user knows (e.g., password/PIN); 
+	2) Something a user has (e.g., cryptographic identification device, token); and 
+	3) Something a user is (e.g., biometric). 
+	 
+	A privileged account is defined as an information system account with authorizations of a privileged user. 
+	 
+	Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). 
+	 
+	The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.
+
+	Satisfies: SRG-OS-000705-GPOS-00150, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00161
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000290 - OL 9 must have the s-nail package installed.
+            
+              Oracle Linux 9
+            
+            The s-nail package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000300 - OL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
+            
+              Oracle Linux 9
+            
+            Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+	Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000310 - OL 9 must have the chrony package installed.
+            
+              Oracle Linux 9
+            
+            Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000311 - OL 9 must enable the chronyd service.
+            
+              Oracle Linux 9
+            
+            Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+	Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000320 - OL 9 must have the USBGuard package installed.
+            
+              Oracle Linux 9
+            
+            The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
+
+	The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000321 - OL 9 must enable the USBGuard package.
+            
+              Oracle Linux 9
+            
+            The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
+
+	The system administrator (SA) must work with the site information system security officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000330 - OL 9 must have the oracle-linux-manager package installed.
+            
+              Oracle Linux 9
+            
+            Oracle Linux Manager, based on the Spacewalk open source software, helps automate Oracle Linux systems management. This enables users to control the system software life cycle from initial installation through maintenance, software configuration, upgrades, and eventual decommissioning. Oracle Linux Manager also helps automate a kickstart installation, system configuration, and maintenance tasks, which enables rapid deployment of proven and consistent software configurations for Oracle Linux systems.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000340 - OL 9 must have the fapolicy module installed.
+            
+              Oracle Linux 9
+            
+            The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
+
+	Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
+
+	User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
+
+	OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
+
+	Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
+
+	Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000341 - OL 9 must enable the fapolicy module.
+            
+              Oracle Linux 9
+            
+            The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
+
+	Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allowlisted software occurs prior to execution or at system startup.
+
+	User home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.
+
+	OL 9 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blocklist or allowlist processes or file access.
+
+	Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system nonfunctional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
+
+	Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000350 - OL 9 must have the rsyslog package installed.
+            
+              Oracle Linux 9
+            
+            rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing.
+
+	Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000351 - OL 9 must be configured so that the rsyslog service is active.
+            
+              Oracle Linux 9
+            
+            The rsyslog service must be running to provide logging services, which are essential to system administration.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000355 - OL 9 must have the packages required for encrypting offloaded audit logs installed.
+            
+              Oracle Linux 9
+            
+            The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000360 - OL 9 must enable the hardware random number generator entropy gatherer service.
+            
+              Oracle Linux 9
+            
+            The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
+
+	The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000370 - OL 9 must have the rng-tools package installed.
+            
+              Oracle Linux 9
+            
+            rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000380 - OL 9 must have the nss-tools package installed.
+            
+              Oracle Linux 9
+            
+            Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000390 - OL 9 must have the pcsc-lite package installed.
+            
+              Oracle Linux 9
+            
+            The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000400 - OL 9 must have the opensc package installed.
+            
+              Oracle Linux 9
+            
+            The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
+
+	The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
+
+	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000401 - OL 9 must be configured so that the pcscd service is active.
+            
+              Oracle Linux 9
+            
+            The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+	The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000410 - OL 9 must have the libreswan package installed.
+            
+              Oracle Linux 9
+            
+            Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000430 - OL 9 must have the gnutls-utils package installed.
+            
+              Oracle Linux 9
+            
+            GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000440 - OL 9 must have the audit package installed.
+            
+              Oracle Linux 9
+            
+            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+	Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+	Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured OL 9 system.
+
+	Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000441 - OL 9 audit service must be enabled.
+            
+              Oracle Linux 9
+            
+            Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded.
+
+	Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
+
+	Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000450 - OL 9 must have the audispd-plugins package installed.
+            
+              Oracle Linux 9
+            
+            audispd-plugins provides plug-ins for the real-time interface to the audit subsystem, audispd. These plug-ins can do things like relay events to remote machines or analyze events for suspicious behavior.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000495 - OL 9 must remove all software components after updated versions have been installed.
+            
+              Oracle Linux 9
+            
+            Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000496 - OL 9 must check the GPG signature of locally installed software packages before installation.
+            
+              Oracle Linux 9
+            
+            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+	All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000497 - OL 9 must check the GPG signature of software packages originating from external software repositories before installation.
+            
+              Oracle Linux 9
+            
+            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+	All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000498 - OL 9 must have GPG signature verification enabled for all software repositories.
+            
+              Oracle Linux 9
+            
+            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+	All software packages must be signed with a cryptographic key recognized and approved by the organization.
+
+	Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000500 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
+            
+              Oracle Linux 9
+            
+            The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000505 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
+            
+              Oracle Linux 9
+            
+            The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000510 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
+            
+              Oracle Linux 9
+            
+            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000515 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
+            
+              Oracle Linux 9
+            
+            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000520 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
+            
+              Oracle Linux 9
+            
+            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000525 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
+            
+              Oracle Linux 9
+            
+            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000530 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+            
+              Oracle Linux 9
+            
+            In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
+
+	Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000535 - OL 9 must audit all uses of the unix_update command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000540 - OL 9 must audit all uses of the su command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000545 - OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000550 - OL 9 must audit all uses of the chage command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000555 - OL 9 must audit all uses of the chcon command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000560 - OL 9 must audit all uses of the setfacl command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000565 - OL 9 must audit all uses of the chsh command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000570 - OL 9 must audit all uses of the crontab command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000575 - OL 9 must audit all uses of the gpasswd command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000580 - OL 9 must audit all uses of the newgrp command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000585 - OL 9 must audit all uses of the pam_timestamp_check command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000590 - OL 9 must audit all uses of the passwd command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000595 - OL 9 must audit all uses of the postdrop command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000600 - OL 9 must audit all uses of the postqueue command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000605 - OL 9 must audit all uses of the ssh-agent command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000610 - OL 9 must audit all uses of the ssh-keysign command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000615 - OL 9 must audit all uses of the sudoedit command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000620 - OL 9 must audit all uses of the unix_chkpwd command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000625 - OL 9 must audit all uses of the userhelper command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000630 - OL 9 must audit all uses of the mount command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000635 - OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000640 - OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000645 - OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000650 - OL 9 must audit all uses of the semanage command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000655 - OL 9 must audit all uses of the setfiles command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000660 - OL 9 must audit all uses of the setsebool command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000665 - OL 9 must audit all uses of the chacl command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000670 - OL 9 must audit all uses of the sudo command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000675 - OL 9 must audit all uses of the usermod command.
+            
+              Oracle Linux 9
+            
+            Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000680 - OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000685 - OL 9 must audit all uses of the delete_module system call.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000690 - OL 9 must audit all uses of the init_module and finit_module system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000695 - OL 9 must audit all uses of the kmod command.
+            
+              Oracle Linux 9
+            
+            Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000700 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000705 - OL 9 must audit all uses of umount system calls.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+	The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000710 - OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
+            
+              Oracle Linux 9
+            
+            Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+	Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+	It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.
+
+	To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
+
+	Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000715 - OL 9 must audit uses of the execve system call.
+            
+              Oracle Linux 9
+            
+            Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
+
+	Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-OS-000755-GPOS-00220
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000720 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000725 - OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
+            
+              Oracle Linux 9
+            
+            Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000730 - OL 9 must be configured so that successful/unsuccessful uses of the init command generate an audit record.
+            
+              Oracle Linux 9
+            
+            Misuse of the init command may cause availability issues for the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000735 - OL 9 must be configured so that successful/unsuccessful uses of the poweroff command generate an audit record.
+            
+              Oracle Linux 9
+            
+            Misuse of the poweroff command may cause availability issues for the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000740 - OL 9 must be configured so that successful/unsuccessful uses of the reboot command generate an audit record.
+            
+              Oracle Linux 9
+            
+            Misuse of the reboot command may cause availability issues for the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000745 - OL 9 must be configured so that successful/unsuccessful uses of the shutdown command generate an audit record.
+            
+              Oracle Linux 9
+            
+            Misuse of the shutdown command may cause availability issues for the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000750 - OL 9 must enable auditing of processes that start prior to the audit daemon.
+            
+              Oracle Linux 9
+            
+            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000755 - OL 9 must label all offloaded audit logs before sending them to the central log server.
+            
+              Oracle Linux 9
+            
+            Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
+
+	When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
+
+	Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000760 - OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
+            
+              Oracle Linux 9
+            
+            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000765 - OL 9 audit system must take appropriate action when the audit storage volume is full.
+            
+              Oracle Linux 9
+            
+            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000770 - OL 9 audit system must take appropriate action when the audit files have reached maximum size.
+            
+              Oracle Linux 9
+            
+            It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000775 - OL 9 must periodically flush audit records to disk to prevent the loss of audit records.
+            
+              Oracle Linux 9
+            
+            If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000785 - OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
+            
+              Oracle Linux 9
+            
+            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000790 - OL 9 audit log directory must be owned by root to prevent unauthorized read access.
+            
+              Oracle Linux 9
+            
+            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000795 - OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+
+	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000800 - OL 9 audit system must audit local events.
+            
+              Oracle Linux 9
+            
+            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+	If option "local_events" isn't set to "yes" only events from network will be aggregated.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000805 - OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
+            
+              Oracle Linux 9
+            
+            Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000810 - OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000815 - OL 9 must forward mail from postmaster to the root account using a postfix alias.
+            
+              Oracle Linux 9
+            
+            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000820 - OL 9 must take appropriate action when a critical audit processing failure occurs.
+            
+              Oracle Linux 9
+            
+            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+	Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00135
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000825 - The OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
+            
+              Oracle Linux 9
+            
+            It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+	Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+	This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
+
+	Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000830 - OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
+            
+              Oracle Linux 9
+            
+            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.
+
+	Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000835 - OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
+            
+              Oracle Linux 9
+            
+            Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+	Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+	Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000840 - OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.
+            
+              Oracle Linux 9
+            
+            The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000845 - OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.
+            
+              Oracle Linux 9
+            
+            The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+
+	Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000850 - OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
+            
+              Oracle Linux 9
+            
+            To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
+
+	The task of allocating audit record storage capacity is usually performed during initial installation of OL 9.
+
+	Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000855 - OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
+            
+              Oracle Linux 9
+            
+            The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
+
+	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000860 - OL 9 must take appropriate action when the internal event queue is full.
+            
+              Oracle Linux 9
+            
+            The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+	Offloading is a common process in information systems with limited audit storage capacity.
+
+	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000865 - OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+            
+              Oracle Linux 9
+            
+            If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000870 - OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
+            
+              Oracle Linux 9
+            
+            If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit record storage capacity expansion. The notification can be set to trigger at lower utilization thresholds at the ISSO's discretion.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000875 - OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
+            
+              Oracle Linux 9
+            
+            If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000880 - OL 9 must write audit records to disk.
+            
+              Oracle Linux 9
+            
+            Audit data should be synchronously written to disk to ensure log integrity. This setting ensures that all audit event data is written disk.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000885 - OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
+            
+              Oracle Linux 9
+            
+            If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000925 - OL 9 must enable certificate-based smart card authentication.
+            
+              Oracle Linux 9
+            
+            Without the use of multifactor authentication (MFA), the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.
+
+	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000930 - OL 9 must implement certificate status checking for multifactor authentication (MFA).
+            
+              Oracle Linux 9
+            
+            Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
+
+	Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
+
+	OL 9 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function.
+
+	Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000935 - OL 9 must prohibit the use of cached authenticators after one day.
+            
+              Oracle Linux 9
+            
+            If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-000940 - OL 9 must use the CAC smart card driver.
+            
+              Oracle Linux 9
+            
+            Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.
+
+	Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001000 - OL 9 must ensure the password complexity module is enabled in the system-auth file.
+            
+              Oracle Linux 9
+            
+            Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001001 - OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
+
+	OL 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
+	/etc/pam.d/password-auth
+	/etc/pam.d/system-auth
+
+	By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001005 - OL 9 must enforce password complexity by requiring that at least one uppercase character be used.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001010 - OL 9 must ensure the password complexity module is enabled in the password-auth file.
+            
+              Oracle Linux 9
+            
+            Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
+
+	Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001015 - OL 9 must enforce password complexity by requiring that at least one lowercase character be used.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001020 - OL 9 must enforce password complexity by requiring that at least one numeric character be used.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001025 - OL 9 must require the change of at least eight characters when passwords are changed.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords will not resemble previously compromised ones. Note that passwords changed on compromised systems will still be compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001030 - OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001035 - OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001040 - OL 9 must require the change of at least four character classes when passwords are changed.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001045 - OL 9 must enforce password complexity rules for the root account.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+	Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+	Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001050 - OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
+            
+              Oracle Linux 9
+            
+            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+	This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001055 - OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
+            
+              Oracle Linux 9
+            
+            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+	This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the "crypt_style" configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001060 - OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
+            
+              Oracle Linux 9
+            
+            Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
+
+	OL 9 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. 
+
+	FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001065 - OL 9 password-auth must be configured to use a sufficient number of hashing rounds.
+            
+              Oracle Linux 9
+            
+            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+	Using more hashing rounds makes password cracking attacks more difficult.
+
+	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001070 - OL 9 system-auth must be configured to use a sufficient number of hashing rounds.
+            
+              Oracle Linux 9
+            
+            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+	Using more hashing rounds makes password cracking attacks more difficult.
+
+	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001075 - OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
+            
+              Oracle Linux 9
+            
+            Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
+
+	Using more hashing rounds makes password cracking attacks more difficult.
+
+	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001080 - OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
+            
+              Oracle Linux 9
+            
+            The system must use a strong hashing algorithm to store the password.
+
+	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+	Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001085 - OL 9 passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.
+            
+              Oracle Linux 9
+            
+            Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
+
+	Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001090 - OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.
+            
+              Oracle Linux 9
+            
+            Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001095 - OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
+            
+              Oracle Linux 9
+            
+            Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
+
+	Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001100 - OL 9 user account passwords must have a 60-day maximum password lifetime restriction.
+            
+              Oracle Linux 9
+            
+            Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If OL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 9 passwords could be compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001105 - OL 9 passwords must be created with a minimum of 15 characters.
+            
+              Oracle Linux 9
+            
+            The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+	Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
+
+	OL 9 uses "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
+
+	The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, but they will not count toward the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
+
+	The DOD minimum password requirement is 15 characters.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001110 - OL 9 must not allow blank or null passwords.
+            
+              Oracle Linux 9
+            
+            If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
+          
+          
+            
+            
+          
+        
+        
+          
+            OL09-00-001115 - OL 9 must require a boot loader superuser password.
+            
+              Oracle Linux 9
+            
+            To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001120 - OL 9 must enforce password complexity by requiring that at least one special character be used.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. OL 9 uses "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001125 - OL 9 must prevent the use of dictionary words for passwords.
+            
+              Oracle Linux 9
+            
+            Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If OL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-001130 - OL 9 must not have accounts configured with blank or null passwords.
+            
+              Oracle Linux 9
+            
+            If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002000 - OL 9 file system automount function must be disabled unless required.
+            
+              Oracle Linux 9
+            
+            An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
+
+	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002011 - OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002012 - OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
+            
+              Oracle Linux 9
+            
+            The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002013 - OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002030 - OL 9 must mount /boot with the nodev option.
+            
+              Oracle Linux 9
+            
+            The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002031 - OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002032 - OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002040 - OL 9 must mount /dev/shm with the nodev option.
+            
+              Oracle Linux 9
+            
+            The nodev mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002041 - OL 9 must mount /dev/shm with the noexec option.
+            
+              Oracle Linux 9
+            
+            The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002042 - OL 9 must mount /dev/shm with the nosuid option.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002050 - OL 9 must mount /tmp with the nodev option.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002051 - OL 9 must mount /tmp with the noexec option.
+            
+              Oracle Linux 9
+            
+            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002052 - OL 9 must mount /tmp with the nosuid option.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002060 - OL 9 must mount /var with the nodev option.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002061 - OL 9 must mount /var/log with the nodev option.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002062 - OL 9 must mount /var/log with the noexec option.
+            
+              Oracle Linux 9
+            
+            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002063 - OL 9 must mount /var/log with the nosuid option.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002064 - OL 9 must mount /var/log/audit with the nodev option.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002065 - OL 9 must mount /var/log/audit with the noexec option.
+            
+              Oracle Linux 9
+            
+            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002066 - OL 9 must mount /var/log/audit with the nosuid option.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002067 - OL 9 must mount /var/tmp with the nodev option.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002068 - OL 9 must mount /var/tmp with the noexec option.
+            
+              Oracle Linux 9
+            
+            The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002069 - OL 9 must mount /var/tmp with the nosuid option.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002070 - OL 9 must prevent device files from being interpreted on file systems that contain user home directories.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002071 - OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
+            
+              Oracle Linux 9
+            
+            The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002072 - OL 9 must prevent code from being executed on file systems that contain user home directories.
+            
+              Oracle Linux 9
+            
+            The noexec mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002080 - OL 9 must prevent special devices on nonroot local partitions.
+            
+              Oracle Linux 9
+            
+            The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+
+	The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002100 - OL 9 must disable the graphical user interface automount function unless required.
+            
+              Oracle Linux 9
+            
+            Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002120 - OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
+            
+              Oracle Linux 9
+            
+            A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
+
+	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002121 - OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
+            
+              Oracle Linux 9
+            
+            Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
+
+	Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002122 - OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+	For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
+
+	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002123 - OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+	The session lock is implemented at the point where session activity can be determined and/or controlled.
+
+	Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
+
+	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002124 - OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
+
+	Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002125 - OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002126 - OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
+            
+              Oracle Linux 9
+            
+            A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+	The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+
+	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002127 - OL 9 must disable the ability of a user to restart the system from the login screen.
+            
+              Oracle Linux 9
+            
+            A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002128 - OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002129 - OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
+            
+              Oracle Linux 9
+            
+            A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002150 - OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
+            
+              Oracle Linux 9
+            
+            Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+	For U.S. government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
+
+	Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002160 - OL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.
+            
+              Oracle Linux 9
+            
+            A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+	The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 9 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+
+	Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002161 - OL 9 must not allow unattended or automatic logon via the graphical user interface.
+            
+              Oracle Linux 9
+            
+            Failure to restrict system access to authenticated users negatively impacts operating system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002301 - OL 9 must define default permissions for the bash shell.
+            
+              Oracle Linux 9
+            
+            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002302 - OL 9 must define default permissions for the c shell.
+            
+              Oracle Linux 9
+            
+            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002303 - OL 9 must define default permissions for the system default profile.
+            
+              Oracle Linux 9
+            
+            The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002304 - OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+            
+              Oracle Linux 9
+            
+            Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002320 - OL 9 must disable the chrony daemon from acting as a server.
+            
+              Oracle Linux 9
+            
+            Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
+
+	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002321 - OL 9 must disable network management of the chrony daemon.
+            
+              Oracle Linux 9
+            
+            Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
+
+	Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002330 - OL 9 must enable Linux audit logging for the USBGuard daemon.
+            
+              Oracle Linux 9
+            
+            Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+	If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
+
+	Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+	The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+	DOD has defined the list of events for which OL 9 will provide an audit record generation capability as the following:
+
+	1. Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+	2. Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+	3. All account creations, modifications, disabling, and terminations; and 
+
+	4. All kernel module load, unload, and restart actions.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002340 - OL 9 must log SSH connection attempts and failures to the server.
+            
+              Oracle Linux 9
+            
+            SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002341 - OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
+            
+              Oracle Linux 9
+            
+            GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002342 - OL 9 must force a frequent session key renegotiation for SSH connections to the server.
+            
+              Oracle Linux 9
+            
+            Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+
+	This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+
+	Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+	Session key regeneration limits the chances of a session key becoming compromised.
+
+	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPOS-00188
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002343 - OL 9 SSHD must not allow blank passwords.
+            
+              Oracle Linux 9
+            
+            If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002344 - OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
+            
+              Oracle Linux 9
+            
+            When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002345 - OL 9 must not permit direct logons to the root account using remote access via SSH.
+            
+              Oracle Linux 9
+            
+            Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002346 - OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
+            
+              Oracle Linux 9
+            
+            Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+	Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+	OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
+
+	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002347 - OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
+            
+              Oracle Linux 9
+            
+            Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+	Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+	OL 9 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, SSHD will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without SSHD receiving any messages back from the client. If this threshold is met, SSHD will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
+
+	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002348 - OL 9 SSH daemon must not allow rhosts authentication.
+            
+              Oracle Linux 9
+            
+            SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002349 - OL 9 SSH daemon must not allow known hosts authentication.
+            
+              Oracle Linux 9
+            
+            Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002350 - OL 9 SSH daemon must disable remote X connections for interactive users.
+            
+              Oracle Linux 9
+            
+            When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002351 - OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
+            
+              Oracle Linux 9
+            
+            If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002352 - OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
+            
+              Oracle Linux 9
+            
+            Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002354 - OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
+            
+              Oracle Linux 9
+            
+            When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002355 - OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
+            
+              Oracle Linux 9
+            
+            If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002356 - OL 9 SSH daemon must not allow Kerberos authentication.
+            
+              Oracle Linux 9
+            
+            Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002357 - OL 9 must not allow a noncertificate trusted host SSH logon to the system.
+            
+              Oracle Linux 9
+            
+            SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002358 - OL 9 must not allow users to override SSH environment variables.
+            
+              Oracle Linux 9
+            
+            SSH environment options potentially allow users to bypass access restriction in some configurations.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002359 - OL 9 SSHD must accept public key authentication.
+            
+              Oracle Linux 9
+            
+            Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+	Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002360 - OL 9 must require reauthentication when using the "sudo" command.
+            
+              Oracle Linux 9
+            
+            Without reauthentication, users may access resources or perform tasks for which they do not have authorization. 
+
+	When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command.
+
+	If the value is set to an integer less than "0", the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002361 - OL 9 must restrict the use of the su command.
+            
+              Oracle Linux 9
+            
+            The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002362 - OL 9 must require users to reauthenticate for privilege escalation.
+            
+              Oracle Linux 9
+            
+            Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+	When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002363 - OL 9 must require users to provide a password for privilege escalation.
+            
+              Oracle Linux 9
+            
+            Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+	When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002364 - OL 9 must not be configured to bypass password requirements for privilege escalation.
+            
+              Oracle Linux 9
+            
+            Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002370 - OL 9 must disable the use of user namespaces.
+            
+              Oracle Linux 9
+            
+            User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002380 - OL 9 must disable the kernel.core_pattern.
+            
+              Oracle Linux 9
+            
+            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002381 - OL 9 must disable core dump backtraces.
+            
+              Oracle Linux 9
+            
+            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
+
+	Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002382 - OL 9 must disable storing core dumps.
+            
+              Oracle Linux 9
+            
+            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002383 - OL 9 must disable core dumps for all users.
+            
+              Oracle Linux 9
+            
+            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002384 - OL 9 must disable acquiring, saving, and processing core dumps.
+            
+              Oracle Linux 9
+            
+            A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002385 - OL 9 must be configured so that the kdump service is disabled.
+            
+              Oracle Linux 9
+            
+            Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002390 - OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
+            
+              Oracle Linux 9
+            
+            Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
+
+	Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
+
+	SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.
+
+	Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002391 - OL 9 must enable mitigations against processor-based vulnerabilities.
+            
+              Oracle Linux 9
+            
+            Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
+
+	Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002392 - OL 9 must disable the ability of systemd to spawn an interactive boot process.
+            
+              Oracle Linux 9
+            
+            Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002393 - OL 9 must disable virtual system calls.
+            
+              Oracle Linux 9
+            
+            System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
+
+	Virtual system calls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling virtual system calls help to prevent return-oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on OL 6 components, virtual system calls will have to be enabled so the components function properly.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002394 - OL 9 must clear the page allocator to prevent use-after-free attacks.
+            
+              Oracle Linux 9
+            
+            Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002400 - OL 9 systemd-journald service must be enabled.
+            
+              Oracle Linux 9
+            
+            In the event of a system failure, OL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002401 - OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
+            
+              Oracle Linux 9
+            
+            By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
+
+	Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002402 - OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
+            
+              Oracle Linux 9
+            
+            By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
+
+	Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002403 - OL 9 debug-shell systemd service must be disabled.
+            
+              Oracle Linux 9
+            
+            The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002404 - OL 9 IP tunnels must use 140-3 approved cryptographic algorithms.
+            
+              Oracle Linux 9
+            
+            Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002406 - OL 9 must restrict access to the kernel message buffer.
+            
+              Oracle Linux 9
+            
+            Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+	This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
+
+	There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
+
+	Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
+
+	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002407 - OL 9 must prevent kernel profiling by nonprivileged users.
+            
+              Oracle Linux 9
+            
+            Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+	This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
+
+	There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
+
+	Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
+
+	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002408 - OL 9 must restrict exposed kernel pointer addresses access.
+            
+              Oracle Linux 9
+            
+            Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0".
+
+	Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002409 - OL 9 must disable access to network bpf system call from nonprivileged processes.
+            
+              Oracle Linux 9
+            
+            Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002410 - OL 9 must restrict usage of ptrace to descendant processes.
+            
+              Oracle Linux 9
+            
+            Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002411 - OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
+            
+              Oracle Linux 9
+            
+            Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
+
+	Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002412 - OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
+            
+              Oracle Linux 9
+            
+            A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002413 - OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
+            
+              Oracle Linux 9
+            
+            A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002415 - OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
+            
+              Oracle Linux 9
+            
+            Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.
+
+	This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based on mission needs and the operational environment for each system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002416 - OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
+            
+              Oracle Linux 9
+            
+            By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002417 - OL 9 must maintain an account lock until the locked account is released by an administrator.
+            
+              Oracle Linux 9
+            
+            By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002419 - OL 9 file systems must not contain shosts.equiv files.
+            
+              Oracle Linux 9
+            
+            The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002420 - OL 9 file systems must not contain .shosts files.
+            
+              Oracle Linux 9
+            
+            The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002421 - OL 9 must implement DOD-approved encryption in the bind package.
+            
+              Oracle Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+	Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+	OL 9 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+
+	Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002423 - OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
+            
+              Oracle Linux 9
+            
+            ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002425 - OL 9 must be configured to prevent unrestricted mail relaying.
+            
+              Oracle Linux 9
+            
+            If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002428 - OL 9 must prevent the loading of a new kernel for later execution.
+            
+              Oracle Linux 9
+            
+            Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+	Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002430 - OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
+            
+              Oracle Linux 9
+            
+            When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002502 - OL 9 SSH private host key files must have mode 0640 or less permissive.
+            
+              Oracle Linux 9
+            
+            If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002503 - OL 9 SSH public host key files must have mode 0644 or less permissive.
+            
+              Oracle Linux 9
+            
+            If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002504 - OL 9 system commands must be group-owned by root or a system account.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002505 - OL 9 system commands must be owned by root.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002506 - OL 9 system commands must have mode 755 or less permissive.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002507 - OL 9 SSH server configuration file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002508 - OL 9 SSH server configuration file must be owned by root.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002509 - OL 9 SSH server configuration file must have mode 0600 or less permissive.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002513 - OL 9 local initialization files must have mode 0740 or less permissive.
+            
+              Oracle Linux 9
+            
+            Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002515 - OL 9 local interactive user home directories must have mode 0750 or less permissive.
+            
+              Oracle Linux 9
+            
+            Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002520 - OL 9 library directories must be group-owned by root or a system account.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002521 - OL 9 library directories must be owned by root.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002522 - OL 9 library directories must have mode 755 or less permissive.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002523 - OL 9 library files must be group-owned by root or a system account.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002524 - OL 9 library files must be owned by root.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002525 - OL 9 library files must have mode 755 or less permissive.
+            
+              Oracle Linux 9
+            
+            If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+	This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002530 - OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "root" group is a highly privileged group. The group-owner of this file should not have any access privileges.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002531 - OL 9 /boot/grub2/grub.cfg file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002532 - OL 9 /etc/group file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002533 - OL 9 /etc/group- file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002534 - OL 9 /etc/group file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002535 - OL 9 /etc/group- file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002536 - OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002537 - OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002538 - OL 9 /etc/gshadow file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002539 - OL 9 /etc/gshadow- file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002540 - OL 9 /etc/gshadow file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002541 - OL 9 /etc/gshadow- file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002542 - OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002543 - OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002544 - OL 9 /etc/passwd file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002545 - OL 9 /etc/passwd- file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002546 - OL 9 /etc/passwd file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002547 - OL 9 /etc/passwd- file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002548 - OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002549 - OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002550 - OL 9 /etc/shadow file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002551 - OL 9 /etc/shadow- file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002552 - OL 9 /etc/shadow file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002553 - OL 9 /etc/shadow- file must be owned by root.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002554 - OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002555 - OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
+            
+              Oracle Linux 9
+            
+            The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002560 - OL 9 /var/log directory must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002561 - OL 9 /var/log directory must be owned by root.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002562 - OL 9 /var/log directory must have mode 0755 or less permissive.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002563 - OL 9 /var/log/messages file must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002564 - OL 9 /var/log/messages file must be owned by root.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002565 - OL 9 /var/log/messages file must have mode 0640 or less permissive.
+            
+              Oracle Linux 9
+            
+            Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the OL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+	The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002570 - OL 9 audit tools must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002571 - OL 9 audit tools must be owned by root.
+            
+              Oracle Linux 9
+            
+            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002572 - OL 9 audit tools must have a mode of 0755 or less permissive.
+            
+              Oracle Linux 9
+            
+            Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+	OL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
+
+	Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002580 - OL 9 cron configuration directories must have a mode of 0700 or less permissive.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002581 - OL 9 cron configuration files directory must be group-owned by root.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002582 - OL 9 cron configuration files directory must be owned by root.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002583 - OL 9 /etc/crontab file must have mode 0600.
+            
+              Oracle Linux 9
+            
+            Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003000 - OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
+            
+              Oracle Linux 9
+            
+            An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003001 - OL 9 duplicate User IDs (UIDs) must not exist for interactive users.
+            
+              Oracle Linux 9
+            
+            To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+	Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003002 - OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
+            
+              Oracle Linux 9
+            
+            If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003005 - OL 9 interactive users must have a primary group that exists.
+            
+              Oracle Linux 9
+            
+            If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003006 - OL 9 groups must have unique Group ID (GID).
+            
+              Oracle Linux 9
+            
+            To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003010 - OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
+            
+              Oracle Linux 9
+            
+            Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003020 - OL 9 must automatically lock an account when three unsuccessful logon attempts occur.
+            
+              Oracle Linux 9
+            
+            By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003021 - OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
+            
+              Oracle Linux 9
+            
+            By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+	Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003022 - OL 9 must log username information when unsuccessful logon attempts occur.
+            
+              Oracle Linux 9
+            
+            Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003023 - OL 9 must ensure account lockouts persist.
+            
+              Oracle Linux 9
+            
+            Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003051 - OL 9 system accounts must not have an interactive login shell.
+            
+              Oracle Linux 9
+            
+            Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003052 - OL 9 local interactive user accounts must be assigned a home directory upon creation.
+            
+              Oracle Linux 9
+            
+            If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003065 - OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
+            
+              Oracle Linux 9
+            
+            Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
+
+	Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
+
+	Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+
+	Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-003070 - OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
+            
+              Oracle Linux 9
+            
+            Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005000 - OL 9 remote access methods must be monitored.
+            
+              Oracle Linux 9
+            
+            Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005005 - OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
+            
+              Oracle Linux 9
+            
+            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+	Offloading is a common process in information systems with limited audit storage capacity.
+
+	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+	Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.
+
+	Examples of each configuration:
+	UDP *.* @remotesystemname
+	TCP *.* @@remotesystemname
+	RELP *.* :omrelp:remotesystemname:2514
+	Note that a port number was given as there is no standard port for RELP.
+
+	Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005015 - OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
+            
+              Oracle Linux 9
+            
+            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+	Offloading is a common process in information systems with limited audit storage capacity.
+
+	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+	"Rsyslog" supported authentication modes include:
+	anon - anonymous authentication
+	x509/fingerprint - certificate fingerprint authentication
+	x509/certvalid - certificate validation only
+	x509/name - certificate validation and subject name authentication
+
+	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005020 - OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+            
+              Oracle Linux 9
+            
+            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+	Offloading is a common process in information systems with limited audit storage capacity.
+
+	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+	"Rsyslog" supported authentication modes include:
+	anon - anonymous authentication
+	x509/fingerprint - certificate fingerprint authentication
+	x509/certvalid - certificate validation only
+	x509/name - certificate validation and subject name authentication
+
+	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005025 - OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
+            
+              Oracle Linux 9
+            
+            Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+	Offloading is a common process in information systems with limited audit storage capacity.
+
+	OL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and offload auditing.
+
+	Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-005030 - OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
+            
+              Oracle Linux 9
+            
+            Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
+
+	If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006000 - OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
+            
+              Oracle Linux 9
+            
+            DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+
+	This requirement addresses the configuration of OL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006002 - OL 9 must configure a DNS processing mode set be Network Manager.
+            
+              Oracle Linux 9
+            
+            To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006003 - OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
+            
+              Oracle Linux 9
+            
+            To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006004 - OL 9 network interfaces must not be in promiscuous mode.
+            
+              Oracle Linux 9
+            
+            Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.
+
+	If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006020 - OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
+            
+              Oracle Linux 9
+            
+            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+
+	This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006021 - OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
+            
+              Oracle Linux 9
+            
+            Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
+
+	Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006022 - OL 9 must log IPv4 packets with impossible addresses.
+            
+              Oracle Linux 9
+            
+            The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006023 - OL 9 must log IPv4 packets with impossible addresses by default.
+            
+              Oracle Linux 9
+            
+            The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006024 - OL 9 must use reverse path filtering on all IPv4 interfaces.
+            
+              Oracle Linux 9
+            
+            Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006025 - OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+              Oracle Linux 9
+            
+            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+
+	This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006026 - OL 9 must not forward IPv4 source-routed packets by default.
+            
+              Oracle Linux 9
+            
+            Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
+
+	Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006027 - OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
+            
+              Oracle Linux 9
+            
+            Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006028 - OL 9 must not enable IPv4 packet forwarding unless the system is a router.
+            
+              Oracle Linux 9
+            
+            Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006030 - OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
+            
+              Oracle Linux 9
+            
+            Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
+
+	Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006031 - OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
+            
+              Oracle Linux 9
+            
+            Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006032 - OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
+            
+              Oracle Linux 9
+            
+            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
+
+	The ability to send ICMP redirects is only appropriate for systems acting as routers.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006033 - OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
+            
+              Oracle Linux 9
+            
+            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
+
+	The ability to send ICMP redirects is only appropriate for systems acting as routers.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006040 - OL 9 must not accept router advertisements on all IPv6 interfaces.
+            
+              Oracle Linux 9
+            
+            An illicit router advertisement message could result in a man-in-the-middle attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006041 - OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
+            
+              Oracle Linux 9
+            
+            An illicit ICMP redirect message could result in a man-in-the-middle attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006042 - OL 9 must not forward IPv6 source-routed packets.
+            
+              Oracle Linux 9
+            
+            Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006043 - OL 9 must not enable IPv6 packet forwarding unless the system is a router.
+            
+              Oracle Linux 9
+            
+            IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006044 - OL 9 must not accept router advertisements on all IPv6 interfaces by default.
+            
+              Oracle Linux 9
+            
+            An illicit router advertisement message could result in a man-in-the-middle attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006045 - OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
+            
+              Oracle Linux 9
+            
+            ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006046 - OL 9 must not forward IPv6 source-routed packets by default.
+            
+              Oracle Linux 9
+            
+            Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+
+	Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-006050 - OL 9 must be configured to use TCP syncookies.
+            
+              Oracle Linux 9
+            
+            Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 
+
+	Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
+
+	Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-008000 - OL 9 audit system must protect logon UIDs from unauthorized change.
+            
+              Oracle Linux 9
+            
+            If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
+
+	Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-008005 - OL 9 audit system must protect auditing rules from unauthorized change.
+            
+              Oracle Linux 9
+            
+            Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
+
+	Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 9 system activity.
+
+	In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable, and a system administrator could then investigate the unauthorized changes.
+
+	Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002584 - OL 9 must audit any script or executable called by cron as root or by any privileged user.
+            
+              Oracle Linux 9
+            
+            Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 0755 or more restrictive, and should have no extended rights that allow any nonprivileged user to modify the script or executable.
+          
+          
+            
+          
+        
+        
+          
+            OL09-00-002376 - OL 9 must terminate idle user sessions.
+            
+              Oracle Linux 9
+            
+            Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
+          
+          
+            
+          
+        
+        
+          
+            RHEL-08-020035 - RHEL 8 must terminate idle user sessions.
+            
+              Red Hat Enterprise Linux 8
+            
+            Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
+          
+          
+            
+          
+        
+        
+          
+            RHEL-09-255060 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
+            
+              Red Hat Enterprise Linux 9
+            
+            Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+RHEL 9 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
+          
+          
+            
+          
+        
+      
+      
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+          
+          
+        
+        
+          
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          
+          
+        
+      
+      
+        
+          /etc/security/faillock.conf
+          ^\s*even_deny_root\s*$
+          1
+        
+        
+          /etc/sysctl.conf
+          (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$
+          1
+        
+        
+          
+          \.conf$
+          (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:10001201
+            oval:mil.disa.stig.ind:obj:10001202
+          
+        
+        
+          /proc/cmdline
+          \bipv6\.disable=1\b
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/boot/efi\s+(\S+)\s+\S+\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:20000003
+            oval:mil.disa.stig.ind:obj:20000004
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          ^\*\.\*\s+action\((\s*(?:[^#\)]*(?:#.*$)?\n)*[^#\)]*)\)
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^\*\.\*\s+action\((\s*(?:[^#\)]*(?:#.*$)?\n)*[^#\)]*)\)
+          1
+        
+        
+          /etc/libuser.conf
+          ^\[defaults]((?:\r?\n(?:[^[\r\n].*)?)*)
+          1
+        
+        
+          /etc/libuser.conf
+          ^\s*crypt_style\s*=\s*(\S+)\s*$
+          1
+        
+        
+          /etc/login.defs
+          ^\s*ENCRYPT_METHOD\s+([^#\r\n]*)
+          1
+        
+        
+          /etc/shadow
+          ^[^:]+:([^:]*):
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23023200
+            oval:mil.disa.stig.ind:ste:23023200
+            oval:mil.disa.stig.ind:ste:23023201
+          
+        
+        
+          /etc/login.defs
+          ^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\b
+          1
+        
+        
+          /etc/login.defs
+          ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b
+          1
+        
+        
+          /etc/pam.d
+          password-auth
+          ^[ \t]*password[ \t]+sufficient[ \t]+pam_unix\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]))sha512(?:[ \t]|$)
+          1
+        
+        
+          /sys/fs/selinux/enforce
+          ^(\d+)$
+          1
+        
+        
+          /etc/selinux/config
+          ^SELINUX=(.*)\s*$
+          1
+        
+        
+          /etc/yum.repos.d
+          \.repo$
+          ^\s*\[[^]]+\]\s*\n(?:[^[]*\n)*
+          1
+        
+        
+          /etc/dnf/dnf.conf
+          ^\s*localpkg_gpgcheck\s*=\s*(\w+)\b$
+          1
+        
+        
+          /etc
+          sysctl.conf
+          (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$
+          1
+        
+        
+          
+          \.conf$
+          (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23026601
+            oval:mil.disa.stig.ind:obj:23026602
+          
+        
+        
+          
+          /etc/sudoers
+          ^(?!#).*\s+NOPASSWD.*$
+          1
+        
+        
+          
+          /etc/sudoers.d
+          ^.*$
+          ^(?!#).*\s+NOPASSWD.*$
+          1
+        
+        
+          /etc/dnf/dnf.conf
+          ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$
+          1
+        
+        
+          /etc/selinux/config
+          ^\s*SELINUXTYPE\s*=\s*(\w+)\s*$
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)StrictModes(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)StrictModes(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23028800
+            oval:mil.disa.stig.ind:obj:23028801
+          
+        
+        
+          /etc/fstab
+          ^[^# \t]+\s+/var\s+
+          1
+        
+        
+          /etc/fstab
+          
+          1
+        
+        
+          
+          /etc/audit/auditd.conf
+          ^\s*log_file\s*=\s*(\S+)/\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^[^# \t]+\s+/tmp\s+
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)PermitRootLogin(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)PermitRootLogin(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23029600
+            oval:mil.disa.stig.ind:obj:23029601
+          
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*/dev\S*\s+/\S+\s+(?!vfat\s+)\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
+          0
+        
+        
+          /etc/mtab
+          ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
+          0
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23031302
+            oval:mil.disa.stig.ind:obj:23031303
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23031304
+            oval:mil.disa.stig.ind:obj:23031305
+          
+        
+        
+          /etc/security/limits.conf
+          ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
+          1
+        
+        
+          /etc/security/limits.d
+          \.conf$
+          ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
+          1
+        
+        
+          /etc/security/limits.conf
+          ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
+          1
+        
+        
+          /etc/security/limits.d
+          \.conf$
+          ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$
+          1
+        
+        
+          /etc/systemd/coredump.conf
+          ^\s*Storage\s*=\s*(\w*)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/systemd/coredump.conf
+          ^\s*ProcessSizeMax\s*=\s*(\w*)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/nsswitch.conf
+          ^\s*hosts:\s*(.*)$
+          1
+        
+        
+          oval:mil.disa.stig.ind:var:23031600
+        
+        
+          /etc/resolv.conf
+          ^nameserver\s+(.*)$
+          1
+        
+        
+          /etc/login.defs
+          ^\s*CREATE_HOME\s+([^#\s]+)
+          1
+        
+        
+          /etc/gdm/custom.conf
+          ^\s*\[daemon\]\s+[#\s\w=]*^\s*AutomaticLoginEnable=(\w+)\s*$
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*deny\s*=\s*([\d]+)\s*$
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*fail_interval\s*=\s*([\d]+)\s*$
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*unlock_time\s*=\s*([\d]+)\s*$
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*dir\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*audit\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23034601
+            oval:mil.disa.stig.ind:obj:23034602
+          
+        
+        
+          /etc/security/limits.conf
+          ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
+          1
+        
+        
+          /etc/security/limits.d
+          .*\.conf$
+          ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23034604
+            oval:mil.disa.stig.ind:obj:23034605
+          
+        
+        
+          /etc/security/limits.conf
+          ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
+          1
+        
+        
+          /etc/security/limits.d
+          .*\.conf$
+          ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$
+          1
+        
+        
+          
+          .*
+          ^\[org/gnome/settings-daemon/peripherals/smartcard](?:\r?\n(?:[^[\r\n].*)?)*
+          1
+        
+        
+          /etc/pam.d/password-auth
+          ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23035701
+            oval:mil.disa.stig.ind:obj:23035702
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23035801
+            oval:mil.disa.stig.ind:obj:23035802
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23035901
+            oval:mil.disa.stig.ind:obj:23035902
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23036001
+            oval:mil.disa.stig.ind:obj:23036002
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23036101
+            oval:mil.disa.stig.ind:obj:23036102
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23036201
+            oval:mil.disa.stig.ind:obj:23036202
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23036301
+            oval:mil.disa.stig.ind:obj:23036302
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/shadow
+          ^root:[^:]*:[^:]*:0*:
+          1
+        
+        
+          /etc/shadow
+          ^([^:]*):[^:]*:[^:]*:0*:
+          1
+        
+        
+          /etc/passwd
+          ^nobody:[^:]*:([0-9]+):
+          1
+        
+        
+          /etc/login.defs
+          ^\s*PASS_MIN_DAYS\s+(\d*)
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23036901
+            oval:mil.disa.stig.ind:obj:23036902
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/default/useradd
+          (?i)^\s*INACTIVE\s*=\s*(-?\d+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23037501
+            oval:mil.disa.stig.ind:obj:23037502
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/sssd/sssd.conf
+          ^\s*cache_credentials\s*=\s*true\b$
+          1
+        
+        
+          /etc/sssd/sssd.conf
+          ^\s*offline_credentials_expiration\s*=\s*(\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/sssd/conf.d
+          ^.+\.conf$
+          ^\s*cache_credentials\s*=\s*true\b$
+          1
+        
+        
+          
+          /etc/sssd/conf.d
+          ^.+\.conf$
+          ^\s*offline_credentials_expiration\s*=\s*(\d*)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23037600
+            oval:mil.disa.stig.ind:obj:23037603
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23037602
+            oval:mil.disa.stig.ind:obj:23037605
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23037701
+            oval:mil.disa.stig.ind:obj:23037702
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*dictcheck\s*=\s*([-\d]+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*dictcheck\s*=\s*([-\d]+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/login.defs
+          ^\s*FAIL_DELAY\s+(\d+)\s*$
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/login.defs
+          ^\s*UMASK\s+([^#\s]+)
+          1
+        
+        
+          /etc/csh.cshrc
+          ^\s*(?i)umask\s*(\d+)\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*action_mail_acct\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/
+          aliases
+          ^\s*postmaster:\s*root\s*$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*disk_error_action\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*disk_full_action\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*local_events\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*name_format\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*log_format\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/audit/audit.rules
+          \n[ \t]*-e[ \t]+2\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^--loginuid-immutable$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/shadow(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/security/opasswd(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/passwd(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/gshadow(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/group(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/sudoers(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/sudoers.d/?(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chage\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=\/usr\/bin\/chcon\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/ssh-agent\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/passwd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/mount\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/umount\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/unix_update\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/postdrop\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/postqueue\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/semanage\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/setfiles\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/userhelper\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/setsebool\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/unix_chkpwd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/libexec/openssh/ssh-keysign\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/setfacl\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/pam_timestamp_check\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/newgrp\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/gpasswd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/crontab\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chsh\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/sudo\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/usermod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/chacl\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/kmod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/var/log/lastlog(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /boot/loader/entries
+          ^.*\.conf$
+          ^options\s+.*\baudit_backlog_limit=(\d+)\b
+          1
+        
+        
+          /etc/default/grub
+          ^GRUB_CMDLINE_LINUX=".*\baudit_backlog_limit=(\d+)\b.*"
+          1
+        
+        
+          /etc/usbguard/usbguard-daemon.conf
+          ^\s*AuditBackend\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/auditctl\s+\S+
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/auditd\s+\S+
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/ausearch\s+\S+
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/aureport\s+\S+
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/autrace\s+\S+
+          1
+        
+        
+          /etc/aide.conf
+          ^\s*/usr/sbin/augenrules\s+\S+
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*overflow_action\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23048101
+            oval:mil.disa.stig.ind:obj:23048102
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          ^\$ActionSendStreamDriverMode\s+(\S+)\s*$
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^\$ActionSendStreamDriverMode\s+(\S+)\s*$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*space_left\s*=\s*([\d]+)%\s*(?:#.*)?$
+          1
+        
+        
+          /etc/chrony.conf
+          ^[ \t]*port[ \t]+(\d+)[ \t]*$
+          1
+        
+        
+          /etc/chrony.conf
+          ^[ \t]*cmdport[ \t]+0[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+atm[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+atm[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+can[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+sctp[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+sctp[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+tipc[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+tipc[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+cramfs[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+cramfs[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*install[ \t]+cramfs[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*blacklist[ \t]+cramfs[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+firewire-core[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+firewire-core[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+usb-storage[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+usb-storage[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.d
+          .*
+          ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          oval:mil.disa.stig.linux:var:23051100
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          oval:mil.disa.stig.ind:var:23051400
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          oval:mil.disa.stig.ind:var:23051500
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          oval:mil.disa.stig.defs:var:23051600
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/log\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          oval:mil.disa.stig.linux:var:23051700
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/firewalld/firewalld.conf
+          ^\s*FirewallBackend\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config
+          ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s*
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s*
+          1
+        
+        
+          /etc/postfix/main.cf
+          ^smtpd_client_restrictions[ \t]*=[ \t]*permit_mynetworks[, \t]+reject[ \t]*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23055501
+            oval:mil.disa.stig.ind:obj:23055502
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23055601
+            oval:mil.disa.stig.ind:obj:23055602
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)X11useLocalhost(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*(?i)X11useLocalhost(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)LogLevel(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)LogLevel(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23481500
+            oval:mil.disa.stig.ind:obj:23481501
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23499001
+            oval:mil.disa.stig.ind:obj:23499002
+          
+        
+        
+          /etc/systemd/system.conf
+          ^\s*CtrlAltDelBurstAction\s*=\s*(\S+)\s*$
+          1
+        
+        
+          /etc/systemd/system.conf.d
+          ^.+\.conf$
+          ^\s*CtrlAltDelBurstAction\s*=\s*(\S+)\s*$
+          1
+        
+        
+          /etc/sudoers
+          ^\s*Defaults\s+!targetpw\s*$
+          1
+        
+        
+          /etc/sudoers
+          ^\s*[#@]includedir\s+(\S+)\s*$
+          1
+        
+        
+          
+          ^\s*Defaults\s+!targetpw\s*$
+          1
+        
+        
+          /etc/sudoers
+          ^\s*Defaults\s+!rootpw\s*$
+          1
+        
+        
+          
+          ^\s*Defaults\s+!rootpw\s*$
+          1
+        
+        
+          /etc/sudoers
+          ^\s*Defaults\s+!runaspw\s*$
+          1
+        
+        
+          
+          ^\s*Defaults\s+!runaspw\s*$
+          1
+        
+        
+          
+          /etc/sudoers
+          ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$
+          1
+        
+        
+          
+          /etc/sudoers.d
+          ^.*$
+          ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:23764300
+            oval:mil.disa.stig.ind:obj:23764301
+          
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/sudoedit\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/var/log/tallylog(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
+          1
+        
+        
+          /etc/dconf/db/local.d
+          .*
+          ^\s*banner-message-enable\s*=\s*(\w+)$
+          1
+        
+        
+          /usr/lib/systemd/system/emergency.service
+          ^ExecStart=(.*)$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*(?i)GSSAPIAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config
+          ^\s*(?i)GSSAPIAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/boot/efi\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          ^.*$
+          ^\s*\/org\/gnome\/desktop\/session\/idle-delay$
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          .*
+          ^/org/gnome/desktop/screensaver/lock-enabled$
+          1
+        
+        
+          /etc/pam.d/system-auth
+          \bnullok\b
+          1
+        
+        
+          /etc/pam.d/password-auth
+          \bnullok\b
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*space_left_action\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/shadow
+          ^[^:]+::[^:]*:[^:]*:
+          1
+        
+        
+          
+          /etc/pam.d/system-auth
+          ^\s*password\s+(?:required|requisite)\s+(.*)$
+          1
+        
+        
+          /etc/pam.d/system-auth
+          ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$)
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/audit/audit.rules
+          
+          1
+        
+        
+          /etc/systemd/logind.conf
+          ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/grub2.cfg
+          ^\s*set\s+superusers\s*=\s*"(\S+)"\s*$
+          1
+        
+        
+          /boot/grub2/user.cfg
+          ^\s*GRUB2_PASSWORD=(\S+)\b
+          1
+        
+        
+          /boot/loader/entries
+          ^.*\.conf$
+          ^options\s+(.*)$
+          1
+        
+        
+          /etc/default/grub
+          ^GRUB_CMDLINE_LINUX="(.*)"
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*install[ \t]+atm[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*blacklist[ \t]+atm[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*install[ \t]+firewire-core[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*blacklist[ \t]+firewire-core[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*install[ \t]+sctp[ \t]+/bin/false[ \t]*$
+          1
+        
+        
+          /etc/modprobe.conf
+          ^[ \t]*blacklist[ \t]+sctp[ \t]*$
+          1
+        
+        
+          /etc/dnf/dnf.conf
+          ^gpgcheck=(.*)$
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s][^\s]*\s+[^\s]+\s+nfs[^\s]*\s+([^\s]+)
+          1
+        
+        
+          /etc/fstab
+          ^\s*[^#\s]+\s+/var\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$
+          1
+        
+        
+          /etc/NetworkManager/NetworkManager.conf
+          ^dns=(\S*)\s*$
+          1
+        
+        
+          /etc/NetworkManager/NetworkManager.conf
+          ^\[main\]((?:\r?\n(?:[^[\r\n].*)?)*)
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)banner(?-i)[ \t\"]+([\w\/]+)[\"\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)banner(?-i)[ \t\"]+([\w\/]+)[\"\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25798100
+            oval:mil.disa.stig.ind:obj:25798101
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)banner(?-i)[ \t]*(?:none[\s]*|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)banner(?-i)[ \t]*(?:none[\s]*|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25798103
+            oval:mil.disa.stig.ind:obj:25798104
+          
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*(?i)PubkeyAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config
+          ^\s*(?i)PubkeyAuthentication(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25798401
+            oval:mil.disa.stig.ind:obj:25798402
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^(?i)\s*PermitEmptyPasswords\s+(\w+)$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^(?i)\s*PermitEmptyPasswords\s+(\w+)$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25798601
+            oval:mil.disa.stig.ind:obj:25798602
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*UsePAM\s+(\w*)
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*UsePAM\s+(\w*)
+          1
+        
+        
+          
+          /etc/ssh/sshd_config
+          ^\s*include\s+(.*)\s*$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*include\s+(.*)\s*$
+          1
+        
+        
+          /etc/crypto-policies/back-ends/opensshserver.config
+          ^\s*(?i)Ciphers(?-i)[ \t]+(\S+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/crypto-policies/back-ends/opensshserver.config
+          ^\s*MACs\s+(\S+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25799201
+            oval:mil.disa.stig.ind:obj:25799202
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^(?i)\s*HostbasedAuthentication\s+(\w+)$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^(?i)\s*HostbasedAuthentication\s+(\w+)$
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)ClientAliveInterval(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)ClientAliveInterval(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25799600
+            oval:mil.disa.stig.ind:obj:25799601
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)Compression(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)Compression(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25800200
+            oval:mil.disa.stig.ind:obj:25800201
+          
+        
+        
+          /etc/ssh/sshd_config.d
+          ^.*\.conf$
+          ^\s*(?i)KerberosAuthentication(?-i)\s+("?\w+"?)\s*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25800402
+            oval:mil.disa.stig.ind:obj:25800400
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)KerberosAuthentication(?-i)\s+("?\w+"?)\s*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25800501
+            oval:mil.disa.stig.ind:obj:25800502
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)IgnoreRhosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          ^.*$
+          ^\s*(?i)IgnoreRhosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)IgnoreUserKnownHosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*(?i)IgnoreUserKnownHosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          
+          .*
+          ^/org/gnome/login-screen/banner-message-enable$
+          1
+        
+        
+          /etc/dconf/db/local.d
+          00-security-settings
+          ^\s*\[org\/gnome\/desktop\/media-handling]\s*\n+[^\[]*automount-open\s*=\s*(\w+)$
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          .*
+          ^/org/gnome/desktop/media-handling/automount-open$
+          1
+        
+        
+          /etc/dconf/profile/user
+          ^\s*system-db\s*:\s*local\s*$
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          ^.*$
+          ^\s*\/org\/gnome\/desktop\/media-handling\/autorun-never$
+          1
+        
+        
+          
+          .*
+          ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$
+          1
+        
+        
+          /etc/dconf/profile/user
+          ^system-db:(\S+)\s*$
+          1
+        
+        
+          
+          .*
+          ^/org/gnome/desktop/screensaver/lock-delay$
+          1
+        
+        
+          
+          .*
+          ^\[org/gnome/login-screen](?:\r?\n(?:[^[\r\n].*)?)*
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          ^.*$
+          ^\s*\/org\/gnome\/login-screen\/disable-restart-buttons$
+          1
+        
+        
+          /etc/dconf/db/local.d/locks
+          .*
+          ^/org/gnome/settings-daemon/plugins/media-keys/logout$
+          1
+        
+        
+          /etc/login.defs
+          ^\s*PASS_MAX_DAYS\s+(\d+)
+          1
+        
+        
+          oval:mil.disa.stig.defs:var:25804500
+        
+        
+          /etc/group
+          ^[^:#]*:[^:]*:(\d+)
+          1
+        
+        
+          /etc/group
+          ^[^:]*:[^:]*:([^:]+):
+          1
+        
+        
+          oval:mil.disa.stig.defs:var:25806100
+        
+        
+          /etc/bashrc
+          ^[^#]*\s*(?i)umask\s*(\d+)\s*$
+          1
+        
+        
+          /etc/profile
+          ^(?i)\s*umask\s+([^#\s]+)
+          1
+        
+        
+          /etc/security/faillock.conf
+          ^\s*dir\s*=\s*(.*)\s*$
+          1
+        
+        
+          
+          /etc/sudoers
+          ^(?!#).*\s+!\s*authenticate.*$
+          1
+        
+        
+          
+          /etc/sudoers.d
+          ^.*$
+          ^(?!#).*\s+!\s*authenticate.*$
+          1
+        
+        
+          
+          /etc/sudoers
+          ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$
+          1
+        
+        
+          
+          /etc/sudoers.d
+          ^.*$
+          ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$
+          1
+        
+        
+          /etc/pam.d/su
+          ^\s*auth\s+(?:required|requisite)\s+pam_wheel\.so(?:\s|$)
+          1
+        
+        
+          /etc/pam.d/password-auth
+          ^\s*password\s+sufficient\s+pam_unix\.so\s+[^#\n]*\brounds=(\d+)\b
+          1
+        
+        
+          /etc/pam.d/system-auth
+          ^\s*password\s+sufficient\s+pam_unix\.so\s+[^#\n]*\brounds=(\d+)\b
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25810101
+            oval:mil.disa.stig.ind:obj:25810102
+          
+        
+        
+          /etc/security/pwquality.conf
+          ^\s*enforce_for_root\s*(?:#.*)?$
+          1
+        
+        
+          
+          /etc/security/pwquality.conf.d
+          \.conf$
+          ^\s*enforce_for_root\s*(?:#.*)?$
+          1
+        
+        
+          /etc/pam.d/sudo
+          ^\s*[^#\n]*\bpam_succeed_if\b
+          1
+        
+        
+          /etc/opensc.conf
+          (?i)^\s*card_drivers\s*=(.*);
+          1
+        
+        
+          /etc/sssd/sssd.conf
+          ^\s*pam_cert_auth\s*=\s*(.*)\s*$
+          1
+        
+        
+          
+          /etc/sssd/conf.d
+          .+
+          ^\s*pam_cert_auth\s*=\s*(.*)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25812200
+            oval:mil.disa.stig.ind:obj:25812201
+          
+        
+        
+          /etc/sssd/sssd.conf
+          ^\s*certificate_verification\s*=\s*(.*)\s*$
+          1
+        
+        
+          /etc/sssd/conf.d
+          ^[^.].*\.conf$
+          ^\s*certificate_verification\s*=\s*(.*)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25812300
+            oval:mil.disa.stig.ind:obj:25812301
+          
+        
+        
+          /usr/lib/systemd/system
+          rescue.service
+          ^\s*ExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell\srescue$
+          1
+        
+        
+          /etc/systemd/system/rescue.service.d
+          ^.+\.conf$
+          ^\s*ExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell\srescue$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814301
+            oval:mil.disa.stig.ind:obj:25814302
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814403
+            oval:mil.disa.stig.ind:obj:25814406
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814404
+            oval:mil.disa.stig.ind:obj:25814407
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814405
+            oval:mil.disa.stig.ind:obj:25814408
+          
+        
+        
+          /etc/rsyslog.conf
+          ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/rsyslog.conf
+          ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/rsyslog.conf
+          ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$
+          1
+        
+        
+          /etc/audit/plugins.d/syslog.conf
+          ^\s*active\s*=\s*(\w+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814601
+            oval:mil.disa.stig.ind:obj:25814602
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          ^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814801
+            oval:mil.disa.stig.ind:obj:25814802
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          ^\$DefaultNetstreamDriver\s+(\S+)\s*$
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^\$DefaultNetstreamDriver\s+(\S+)\s*$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:25814901
+            oval:mil.disa.stig.ind:obj:25814902
+          
+        
+        
+          
+          /etc/rsyslog.conf
+          ^\*\.\*\s+@@(\S+)
+          1
+        
+        
+          
+          /etc/rsyslog.d
+          ^.*\.conf$
+          ^\*\.\*\s+@@(\S+)
+          1
+        
+        
+          oval:mil.disa.stig.defs:var:25815500
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*admin_space_left\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*admin_space_left_action\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*max_log_file_action\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*freq\s*=\s*(\S+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/auditd.conf
+          (?i)^\s*write_logs\s*=\s*(\w+)\s*(?:#.*)?$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/init\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/poweroff\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/reboot\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/sbin/shutdown\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+umount\s+|(\s+|,)umount(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+umount2\s+|(\s+|,)umount2(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+umount2\s+|(\s+|,)umount2(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/var/log/faillock(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)[\w-]+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^[ \t]*-f[ \t]+2\s*$
+          1
+        
+        
+          /proc/sys/crypto/fips_enabled
+          ^(\d+)$
+          1
+        
+        
+          /etc/ipsec.conf
+          ^\s*include\s+(.*)\s*$
+          1
+        
+        
+          /etc/ipsec.d
+          ^.*\.conf$
+          ^\s*include\s+(.*)\s*$
+          1
+        
+        
+          /etc/named.conf
+          ^\s*include\s+"(.*)"\s*;\s*$
+          1
+        
+        
+          /etc/crypto-policies/back-ends/openssh.config
+          ^\s*(?i)Ciphers(?-i)[ \t]+(\S+)[\s]*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/crypto-policies/back-ends/openssh.config
+          ^\s*MACs\s+(\S+)\s*$
+          1
+        
+        
+          /etc
+          oracle-release
+          ^\s*Oracle Linux Server release 9\.(\d+)\b
+          1
+        
+        
+          /etc/ssh/sshd_config
+          ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$
+          1
+        
+        
+          /etc/ssh/sshd_config.d
+          .+
+          ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:27170900
+            oval:mil.disa.stig.ind:obj:27170901
+          
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:27172001
+            oval:mil.disa.stig.ind:obj:27172002
+          
+        
+        
+          /etc/ssh/sshd_config
+          ^(?i)\s*PermitUserEnvironment\s+(\w+)$
+          1
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          ^.+\.conf$
+          ^(?i)\s*PermitUserEnvironment\s+(\w+)$
+          1
+        
+        
+          
+            oval:mil.disa.stig.ind:obj:27175001
+            oval:mil.disa.stig.ind:obj:27175002
+          
+        
+        
+          /etc/profile
+          ^[^#]*\s*TMOUT=(\d+)\s*$
+          1
+        
+        
+          
+          /etc/profile.d
+          ^.+\.sh$
+          ^[^#]*\s*TMOUT=(\d+)\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/etc/cron\.d(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          /etc/audit/audit.rules
+          ^\s*-w\s+/var/spool/cron(\s+-p\s*([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*))?(\s+(-k\s+|-F\s+key=)\w+)?\s*$
+          1
+        
+        
+          gnome-shell
+        
+        
+          gnome-shell
+        
+        
+          /boot/efi
+        
+        
+          /sys/fs/selinux
+        
+        
+          policycoreutils
+        
+        
+          openssl-pkcs11
+        
+        
+          rngd.service
+          ActiveState
+        
+        
+          /var
+        
+        
+          /var/log
+        
+        
+          
+        
+        
+          /tmp
+        
+        
+          /boot
+        
+        
+          ^/\S+$
+          oval:mil.disa.stig.linux:ste:23030103
+          oval:mil.disa.stig.linux:ste:23030102
+        
+        
+          kdump.service
+          LoadState
+        
+        
+          kdump.service
+          UnitFileState
+        
+        
+          kdump.service
+          ActiveState
+        
+        
+          systemd-coredump.socket
+          LoadState
+        
+        
+          systemd-coredump.socket
+          UnitFileState
+        
+        
+          .*\/home
+        
+        
+          audit
+        
+        
+          rsyslog
+        
+        
+          rsyslog-gnutls
+        
+        
+          telnet-server
+        
+        
+          sendmail
+        
+        
+          autofs.service
+          ActiveState
+        
+        
+          firewalld
+        
+        
+          /dev/shm
+        
+        
+          /dev/shm
+        
+        
+          /tmp
+        
+        
+          /tmp
+        
+        
+          /var/log
+        
+        
+          /var/log
+        
+        
+          /var/log
+        
+        
+          /var/log/audit
+        
+        
+          /var/log/audit
+        
+        
+          /var/tmp
+        
+        
+          /var/tmp
+        
+        
+          /var/tmp
+        
+        
+          tftp-server
+        
+        
+          postfix
+        
+        
+          xorg-x11-server-common
+        
+        
+          gssproxy
+        
+        
+          iprutils
+        
+        
+          tuned
+        
+        
+          rng-tools
+        
+        
+          /var/tmp
+        
+        
+          /boot/efi
+        
+        
+          fapolicyd.service
+          ActiveState
+        
+        
+          openssh-server
+        
+        
+          systemd-journald.service
+          ActiveState
+        
+        
+          ftp
+        
+        
+          nfs-utils
+        
+        
+          quagga
+        
+        
+          gnutls-utils
+        
+        
+          nss-tools
+        
+        
+          s-nail
+        
+        
+          autofs
+        
+        
+          .*\/home
+        
+        
+          /boot
+        
+        
+          firewalld.service
+          ActiveState
+        
+        
+          chrony
+        
+        
+          chronyd.service
+          ActiveState
+        
+        
+          libreswan
+        
+        
+          sshd.service
+          ActiveState
+        
+        
+          openssh-clients
+        
+        
+          usbguard
+        
+        
+          usbguard.service
+          ActiveState
+        
+        
+          
+          
+        
+        
+          policycoreutils-python-utils
+        
+        
+          sudo
+        
+        
+          fapolicyd
+        
+        
+          pcsc-lite
+        
+        
+          pcscd.socket
+          ActiveState
+        
+        
+          opensc
+        
+        
+          rsyslog.service
+          ActiveState
+        
+        
+          auditd.service
+          ActiveState
+        
+        
+          auditd.service
+          SubState
+        
+        
+          audispd-plugins
+        
+        
+          crypto-policies
+        
+        
+          bind
+        
+        
+          sssd
+        
+        
+          sssd.service
+          ActiveState
+        
+        
+          sssd.service
+          UnitFileState
+        
+        
+          oracle-linux-manager-client.*
+        
+        
+          aide
+        
+        
+          libreswan
+        
+        
+          /sys/firmware/efi
+          
+        
+        
+          net.ipv6.conf.all.disable_ipv6
+        
+        
+          
+        
+        
+          /etc/passwd
+        
+        
+          /etc/group-
+        
+        
+          [\w]+
+        
+        
+          
+            oval:mil.disa.stig.unix:obj:20000016
+            oval:mil.disa.stig.unix:ste:20000017
+          
+        
+        
+          
+            oval:mil.disa.stig.unix:obj:20000016
+            oval:mil.disa.stig.unix:ste:20000018
+          
+        
+        
+          net.ipv4.conf.default.rp_filter
+        
+        
+          /var/log/messages
+        
+        
+          /var/log/messages
+        
+        
+          /var/log/messages
+        
+        
+          /var/log
+          
+        
+        
+          /var/log
+          
+        
+        
+          /var/log
+          
+        
+        
+          
+          
+          \.so(\S+)*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:20000005
+        
+        
+          
+          
+          (\.so\S*)$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:20000006
+        
+        
+          kernel.kexec_load_disabled
+        
+        
+          kernel.randomize_va_space
+        
+        
+          
+          /
+          shosts.equiv
+        
+        
+          
+          /
+          .shosts
+        
+        
+          
+          /etc/ssh
+          ^.*\.pub$
+        
+        
+          /etc/ssh
+          ^ssh_host_.*_key$
+        
+        
+          kernel.core_pattern
+        
+        
+          
+          
+          ^\.[^\s\.]+
+        
+        
+          
+          
+          ^\.[^\s\.]+
+        
+        
+          
+            oval:mil.disa.stig.unix:obj:20000016
+            oval:mil.disa.stig.unix:ste:20000017
+            oval:mil.disa.stig.unix:ste:23032500
+          
+        
+        
+          
+            oval:mil.disa.stig.unix:obj:20000016
+            oval:mil.disa.stig.unix:ste:20000018
+            oval:mil.disa.stig.unix:ste:23032500
+          
+        
+        
+          
+          /etc/dconf/db
+          
+          oval:mil.disa.stig.unix:ste:23035100
+        
+        
+          
+          oval:mil.disa.stig.unix:ste:23036400
+          oval:mil.disa.stig.unix:ste:23036401
+        
+        
+          .+
+          oval:mil.disa.stig.unix:ste:23036702
+        
+        
+          .*
+          oval:mil.disa.stig.unix:ste:23036704
+          oval:mil.disa.stig.unix:ste:23036703
+        
+        
+          root
+        
+        
+          
+        
+        
+          
+          
+        
+        
+          /etc/audit/auditd.conf
+        
+        
+          /etc/audit/rules.d
+          .rules$
+        
+        
+          
+        
+        
+          /etc/systemd/system/ctrl-alt-del.target
+        
+        
+          /etc/systemd/system/debug-shell.service
+        
+        
+          root
+        
+        
+          net.ipv6.conf.default.accept_redirects
+        
+        
+          net.ipv4.conf.all.send_redirects
+        
+        
+          net.ipv4.icmp_echo_ignore_broadcasts
+        
+        
+          net.ipv6.conf.all.accept_source_route
+        
+        
+          net.ipv6.conf.all.forwarding
+        
+        
+          net.ipv4.conf.default.send_redirects
+        
+        
+          net.ipv6.conf.all.accept_redirects
+        
+        
+          kernel.unprivileged_bpf_disabled
+        
+        
+          kernel.yama.ptrace_scope
+        
+        
+          kernel.kptr_restrict
+        
+        
+          user.max_user_namespaces
+        
+        
+          net.ipv4.conf.all.rp_filter
+        
+        
+          .*
+        
+        
+          /etc/sudoers.d
+          ^[^.]*[^.~]$
+        
+        
+          net.ipv4.tcp_syncookies
+        
+        
+          net.ipv4.conf.default.accept_redirects
+        
+        
+          net.ipv4.conf.default.accept_source_route
+        
+        
+          net.ipv4.conf.all.accept_redirects
+        
+        
+          net.core.bpf_jit_harden
+        
+        
+          fs.protected_symlinks
+        
+        
+          fs.protected_hardlinks
+        
+        
+          kernel.dmesg_restrict
+        
+        
+          kernel.perf_event_paranoid
+        
+        
+          net.ipv6.conf.default.accept_source_route
+        
+        
+          /etc/systemd/system/default.target
+        
+        
+          net.ipv6.conf.default.accept_ra
+        
+        
+          /boot/grub2/grub.cfg
+        
+        
+          /boot/grub2/grub.cfg
+        
+        
+          .*
+          oval:mil.disa.stig.unix:ste:25789000
+          oval:mil.disa.stig.unix:ste:25789002
+          oval:mil.disa.stig.unix:ste:25789003
+        
+        
+          
+          
+        
+        
+          /etc/group
+        
+        
+          /etc/group-
+        
+        
+          /etc/gshadow
+        
+        
+          /etc/gshadow-
+        
+        
+          /etc/passwd-
+        
+        
+          /etc/shadow-
+        
+        
+          /etc/group
+        
+        
+          /etc/group
+        
+        
+          /etc/group-
+        
+        
+          /etc/gshadow
+        
+        
+          /etc/gshadow
+        
+        
+          /etc
+          gshadow-
+        
+        
+          /etc/gshadow-
+        
+        
+          /etc/passwd-
+        
+        
+          /etc
+          shadow
+        
+        
+          /etc/shadow
+        
+        
+          /etc
+          shadow-
+        
+        
+          /etc
+          ^cron.*$
+        
+        
+          ^/etc/cron.*$
+          
+        
+        
+          
+          /etc
+          ^cron.*
+        
+        
+          /etc/crontab
+        
+        
+          net.ipv4.conf.all.accept_source_route
+        
+        
+          net.ipv4.conf.all.log_martians
+        
+        
+          net.ipv4.conf.default.log_martians
+        
+        
+          net.ipv4.icmp_ignore_bogus_error_responses
+        
+        
+          net.ipv4.conf.all.forwarding
+        
+        
+          net.ipv6.conf.all.accept_ra
+        
+        
+          /etc/ssh/sshd_config.d/50-redhat.conf
+        
+        
+          /etc/ssh/sshd_config
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          
+        
+        
+          
+          /etc/ssh/sshd_config.d
+          .*
+        
+        
+          .*
+          oval:mil.disa.stig.unix:ste:25804500
+        
+        
+          .+
+        
+        
+          
+            oval:mil.disa.stig.unix:obj:25804600
+            oval:mil.disa.stig.unix:ste:25804601
+            oval:mil.disa.stig.unix:ste:25804602
+          
+        
+        
+          .*
+        
+        
+          /etc/audit/auditd.conf
+        
+        
+          
+          
+          \.so\S*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:26048700
+        
+        
+          
+          
+          \.so\S*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:26048701
+        
+        
+          
+          
+          \.so\S*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:26048702
+        
+        
+          
+          
+          \.so\S*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:26048703
+        
+        
+          
+          
+          \.so\S*$
+          oval:mil.disa.stig.unix:ste:20000015
+          oval:mil.disa.stig.unix:ste:26048704
+        
+        
+          
+          
+          .*
+          oval:mil.disa.stig.unix:ste:20000023
+        
+        
+          
+          
+          .*
+          oval:mil.disa.stig.unix:ste:20000005
+        
+        
+          
+          
+          .*
+          oval:mil.disa.stig.unix:ste:20000024
+          oval:mil.disa.stig.unix:ste:20000002
+        
+        
+          
+          
+          .*
+          oval:mil.disa.stig.unix:ste:20000025
+          oval:mil.disa.stig.unix:ste:20000002
+        
+        
+          
+          
+          
+          oval:mil.disa.stig.unix:ste:20000021
+          oval:mil.disa.stig.unix:ste:20000006
+        
+        
+          
+          
+          
+          oval:mil.disa.stig.unix:ste:20000021
+          oval:mil.disa.stig.unix:ste:20000005
+        
+        
+          
+          
+          
+          oval:mil.disa.stig.unix:ste:20000021
+          oval:mil.disa.stig.unix:ste:20000024
+        
+        
+          
+          
+          
+          oval:mil.disa.stig.unix:ste:20000021
+          oval:mil.disa.stig.unix:ste:20000025
+        
+        
+          /var/lib/aide/aide.db.gz
+        
+      
+      
+        
+          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
+        
+        
+          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
+        
+        
+          vfat
+        
+        
+          false
+        
+        
+          true
+        
+        
+          0
+        
+        
+          1
+        
+        
+          none
+        
+        
+          0
+        
+        
+          ^(yes|"yes")$
+        
+        
+          ^(no|"no")$
+        
+        
+          ^[123]$
+        
+        
+          0
+        
+        
+          0
+        
+        
+          ^(True|1|yes)$
+        
+        
+          (?i)^yes$
+        
+        
+          yes
+        
+        
+          0
+        
+        
+          077
+        
+        
+          (?i)(?:^|\n)[^#]*\btype\s*=\s*"omfwd"
+        
+        
+          \n\s*crypt_style\s*=\s*(\S*)\s*(\n|$)
+        
+        
+          sha512
+        
+        
+          SHA512
+        
+        
+          ^[!*]
+        
+        
+          ^[$][6][$]
+        
+        
+          100000
+        
+        
+          0
+        
+        
+          enforcing
+        
+        
+          \n\s*gpgcheck\s*=\s*(True|1|yes)\s*(\n|$)
+        
+        
+          \n\s*gpgcheck\s*=\s*(False|0|no)\s*(\n|$)
+        
+        
+          (^|\s)vsyscall=none(\s|$)
+        
+        
+          targeted
+        
+        
+          (?:^nodev$|^nodev,|,nodev$|,nodev,)
+        
+        
+          ^.*noexec.*$
+        
+        
+          (^|,)nosuid(,|$)
+        
+        
+          0
+        
+        
+          0
+        
+        
+          (^|\s)dns(\s|$)
+        
+        
+          2
+        
+        
+          3
+        
+        
+          900
+        
+        
+          /var/log/faillock
+        
+        
+          10
+        
+        
+          \nremoval-action='lock-screen'\s*(\n|$)
+        
+        
+          4
+        
+        
+          3
+        
+        
+          4
+        
+        
+          8
+        
+        
+          1
+        
+        
+          15
+        
+        
+          35
+        
+        
+          4
+        
+        
+          077
+        
+        
+          077
+        
+        
+          (?i)^root$
+        
+        
+          (?i)^syslog$
+        
+        
+          (?i)^single$
+        
+        
+          (?i)^halt$
+        
+        
+          (?i)^syslog$
+        
+        
+          (?i)^single$
+        
+        
+          (?i)^halt$
+        
+        
+          (?i)^hostname$
+        
+        
+          (?i)^fqd$
+        
+        
+          (?i)^numeric$
+        
+        
+          (?i)^enriched$
+        
+        
+          (^|\s)audit=1(\s|$)
+        
+        
+          8192
+        
+        
+          LinuxAudit
+        
+        
+          25
+        
+        
+          100
+        
+        
+          (^|\s)pti=on(\s|$)
+        
+        
+          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
+        
+        
+          (?:^noexec$|^noexec,|,noexec$|,noexec,)
+        
+        
+          nodev
+        
+        
+          ^.*nosuid.*$
+        
+        
+          nodev
+        
+        
+          nosuid
+        
+        
+          noexec
+        
+        
+          nodev
+        
+        
+          ^.*noexec.*$
+        
+        
+          (?:^nodev$|^nodev,|,nodev$|,nodev,)
+        
+        
+          (?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
+        
+        
+          nftables
+        
+        
+          ^(?i)\s*RekeyLimit\s+[1-9][0-9]*[kmg]?\s+([1-9][0-9]*[smhdw]?)+\s*$
+        
+        
+          ^VERBOSE$|^"VERBOSE"$
+        
+        
+          /etc/sudoers.d
+        
+        
+          -/usr/lib/systemd/systemd-sulogin-shell emergency
+        
+        
+          (?i)^email$
+        
+        
+          ^pam_pwquality.so(\s|$)
+        
+        
+          ^(delayed|"delayed")$
+        
+        
+          600
+        
+        
+          ^\S+$
+        
+        
+          ^grub\.pbkdf2\.sha512\.
+        
+        
+          (^|\s)systemd\.confirm_spawn(\s|$)
+        
+        
+          (^|\s)page_poison=1(\s|$)
+        
+        
+          1
+        
+        
+          (^|,)nodev(,|$)
+        
+        
+          \ndns=
+        
+        
+          none
+        
+        
+          default
+        
+        
+          systemd-resolved
+        
+        
+          ^\/.+$
+        
+        
+          /etc/crypto-policies/back-ends/opensshserver.config
+        
+        
+          /etc/ssh/sshd_config.d/*.conf
+        
+        
+          aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+        
+        
+          "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr"
+        
+        
+          hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+        
+        
+          "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512"
+        
+        
+          600
+        
+        
+          0
+        
+        
+          \ndisable-restart-buttons=(true|'true')\s*(\n|$)
+        
+        
+          60
+        
+        
+          
+        
+        
+          
+        
+        
+          100000
+        
+        
+          (?i)\bcac\b
+        
+        
+          true
+        
+        
+          (?i)(^|,)ocsp_dgst=sha512(,|$)
+        
+        
+          x509/name
+        
+        
+          gtls
+        
+        
+          ^.+$
+        
+        
+          (?i)(?:^|\n)[^#]*\bprotocol\s*=\s*"tcp"
+        
+        
+          10737418240
+        
+        
+          5%
+        
+        
+          ROTATE
+        
+        
+          SINGLE
+        
+        
+          1
+        
+        
+          100
+        
+        
+          /etc/crypto-policies/back-ends/libreswan.config
+        
+        
+          /etc/ipsec.d/*.conf
+        
+        
+          /etc/crypto-policies/back-ends/bind.config
+        
+        
+          (^|\s)slub_debug=P(\s|$)
+        
+        
+          900
+        
+        
+          vfat
+        
+        
+          noexec
+        
+        
+          nodev
+        
+        
+          nosuid
+        
+        
+          active
+        
+        
+          running
+        
+        
+          masked
+        
+        
+          enabled
+        
+        
+          inactive
+        
+        
+          selinuxfs
+        
+        
+          ^/dev\S*$
+        
+        
+          vfat
+        
+        
+          nosuid
+        
+        
+          noexec
+        
+        
+          active
+        
+        
+          faillog_t
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          symbolic link
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          0
+        
+        
+          0
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          false
+          false
+          false
+          false
+          false
+        
+        
+          0
+        
+        
+          1
+        
+        
+          2
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          /dev/null
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          regular
+        
+        
+          .+
+        
+        
+          1000
+        
+        
+          0
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          directory
+        
+        
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          1000
+        
+        
+          false
+        
+        
+          false
+        
+        
+          |/bin/false
+        
+        
+          /
+        
+        
+          ^/etc/dconf/db/.*\.d$
+        
+        
+          1000
+        
+        
+          
+        
+        
+          0
+        
+        
+          60
+        
+        
+          
+        
+        
+          
+        
+        
+          1000
+        
+        
+          0
+        
+        
+          (^|\s)PROMISC(\s|$)
+        
+        
+          [\S]*\/multi\-user\.target$
+        
+        
+          ^.*nologin.*$
+        
+        
+          1000
+        
+        
+          65534
+        
+        
+          false
+          false
+          false
+          true
+          true
+          false
+          false
+          false
+          false
+          false
+          false
+          false
+        
+        
+          1000
+        
+        
+          /sbin/nologin|/usr/sbin/nologin
+        
+        
+          1000
+        
+        
+          0
+        
+        
+          
+        
+        
+          true
+        
+        
+          true
+        
+        
+          true
+        
+        
+          true
+        
+        
+          true
+        
+        
+          0
+        
+      
+      
+        
+          
+        
+        
+          /etc/sysctl.d
+          /run/sysctl.d
+          /lib/sysctl.d
+          /usr/lib/sysctl.d
+          /usr/local/lib/sysctl.d
+        
+        
+          ^\s*-a\s+(?:always,exit|exit,always)
+        
+        
+          \s+-F\s+arch=b32
+        
+        
+          \s+-F\s+arch=b64
+        
+        
+          \s+(?:-S\s+[,\w]+\s+)*
+        
+        
+          -S\s+[,\w]*\b
+        
+        
+          \b[,\w]*
+        
+        
+          -F\s+auid>=1000\s+-F\s+auid!=(?:4294967295|-1|unset)
+        
+        
+          (?:\s+(?:-k\s+|-F\s+key=)[-\w]+)*\s*$
+        
+        
+          -F\s+auid=0
+        
+        
+          /lib
+          /lib64
+          /usr/lib
+          /usr/lib64
+        
+        
+          /bin
+          /sbin
+          /usr/bin
+          /usr/sbin
+          /usr/libexec
+          /usr/local/bin
+          /usr/local/sbin
+        
+        
+          
+        
+        
+          
+            ^[^# \t]+\s+
+            
+            \s+
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+            ^
+            
+            $
+          
+        
+        
+          65534
+          65535
+          4294967294
+          4294967295
+        
+        
+          
+        
+        
+          /sbin/auditctl
+          /sbin/aureport
+          /sbin/ausearch
+          /sbin/autrace
+          /sbin/auditd
+          /sbin/rsyslogd
+          /sbin/augenrules
+        
+        
+          
+            
+          
+        
+        
+          
+        
+        
+          
+            
+            
+            
+            
+            lsetxattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            lsetxattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            lsetxattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            lsetxattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            removexattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            removexattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            removexattr
+            
+            
+            
+            
+          
+        
+        
+          
+            
+            
+            
+            
+            removexattr
+            
+            
+            
+            
+          
+        
+        
+          
+        
+        
+          
+            /etc/dconf/db/
+            
+            .d/locks
+          
+        
+        
+          
+            
+          
+        
+        
+          
+            
+              
+            
+          
+        
+        
+          
+        
+        
+          
+            
+          
+        
+        
+          
+            
+              
+            
+          
+        
+        
+          
+        
+        
+          ^[^#]*InputTCPServerRun
+          ^[^#]*UDPServerRun
+          ^[^#]*RELPServerRun
+          ^[^#]*module\s*\(.*\bload\s*=\s*"imtcp".*\)
+          ^[^#]*module\s*\(.*\bload\s*=\s*"imudp".*\)
+          ^[^#]*module\s*\(.*\bload\s*=\s*"imrelp".*\)
+          ^[^#]*input\s*\(.*\btype\b\s*=\s*"imtcp"\s*\bport\b\s*=\s*"514".*\)
+          ^[^#]*input\s*\(.*\btype\b\s*=\s*"imudp"\s*\bport\b\s*=\s*"514".*\)
+          ^[^#]*input\s*\(.*\btype\b\s*=\s*"imrelp"\s*\bport\b\s*=\s*"514".*\)
+        
+        
+          
+            
+            
+          
+        
+        
+          
+            
+              
+            
+          
+        
+        
+          
+            
+          
+        
+        
+          
+            
+          
+        
+        
+          
+            
+          
+        
+        
+          
+            
+          
+        
+      
+    
+  
+  
+    
+      
+        Security Content Tool 1.7.0
+        5.11
+        2026-01-05T02:26:56
+      
+      
+        
+          
+            Oracle Linux 9 is installed.
+            
+              Oracle Linux 9
+            
+            
+            Oracle Linux 9 is installed.
+          
+          
+            
+          
+        
+      
+      
+        
+          
+          
+        
+      
+      
+        
+          oraclelinux-release
+        
+      
+      
+        
+          ^9\.\d+$
+        
+      
+    
+  
+
diff --git a/shared/references/disa-stig-ol9-v1r3-xccdf-manual.xml b/shared/references/disa-stig-ol9-v1r4-xccdf-manual.xml
similarity index 87%
rename from shared/references/disa-stig-ol9-v1r3-xccdf-manual.xml
rename to shared/references/disa-stig-ol9-v1r4-xccdf-manual.xml
index 16e82f7e4465..83ecb4015e1e 100644
--- a/shared/references/disa-stig-ol9-v1r3-xccdf-manual.xml
+++ b/shared/references/disa-stig-ol9-v1r4-xccdf-manual.xml
@@ -1,4 +1,4 @@
-acceptedOracle Linux 9 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 01 Oct 20253.5.11.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000780-GPOS-00240<GroupDescription></GroupDescription>OL09-00-000001The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. 
  
 Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-004910Configure the OL 9 operating system to implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.
 
@@ -63,12 +63,16 @@ If a separate entry for "/var/log" is not in use, this is a finding.SRG-OS-000439-GPOS-00195<GroupDescription></GroupDescription>OL09-00-000010OL 9 must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
+If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000439-GPOS-00195<GroupDescription></GroupDescription>OL09-00-000010OL 9 must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
 
-Oracle offers Oracle Linux Premier Support, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002605Upgrade OL 9 to a supported version.Verify that OL 9 is vendor supported with the following command:
+End Of Life dates for Oracle Linux 9 releases are as follows:
+Current end of Premier Support for Oracle Linux 9 is June 2032.
+Current end of Extended Support for Oracle Linux 9 is June 2035. 
+
+Each minor version reaches end of life when the new version is released.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002605Upgrade OL 9 to a supported version.Verify OL 9 is vendor supported with the following command:
 
 $ cat /etc/oracle-release 
-Oracle Linux Server release 9.5
+Oracle Linux Server release 9.6
 
 If the installed version of OL 9 is not supported, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-000015OL 9 vendor packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Install OL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:
 
@@ -99,7 +103,7 @@ If there is an operational requirement for a graphical user interface, document
 $ systemctl get-default
 multi-user.target
 
-If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000025OL 9 must require authentication to access emergency mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000025OL 9 must require authentication to access emergency mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
 
 This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000213Configure OL 9 to require authentication for emergency mode.
 
@@ -110,7 +114,7 @@ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergencySRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000030OL 9 must require authentication to access single-user mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+If this line is not returned, or is commented out, this is a finding. If the output is different, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000030OL 9 must require authentication to access single-user mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
 
 This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000213Configure OL 9 to require authentication for single-user mode.
 
@@ -154,21 +158,22 @@ $ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d/*
 install firewire-core /bin/true
 blacklist firewire-core
 
-If the command does not return any output, or the line is commented out, and use of firewire-core is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000043OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the command does not return any output, or the line is commented out, and use of firewire-core is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000043OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
 Failing to disconnect unused protocols can result in a system compromise.
 
-The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000381Configure OL 9 to prevent the sctp kernel module from being loaded.
+The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000381Configure OL 9 to prevent the sctp kernel module from being loaded.
 
 Add the following line to the file /etc/modprobe.d/sctp.conf (or create sctp.conf if it does not exist):
 
-install sctp/bin/false
-blacklist sctpVerify that OL 9 disables the ability to load the sctp kernel module with the following command:
+install sctp /bin/false
+blacklist sctpVerify OL 9 disables the ability to load the sctp kernel module with the following command:
 
-$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d/* 
-blacklist sctp
+$ grep -irs sctp /etc/modprobe.conf /etc/modprobe.d/*
+/etc/modprobe.d/sctp.conf:install sctp /bin/false
+/etc/modprobe.d/sctp.conf:blacklist sctp
 
-If the command does not return any output, or the line is commented out, and use of sctp is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000044OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the command does not return any output, or the line is commented out, and use of sctp is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000044OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
 Failing to disconnect unused protocols can result in a system compromise.
 
@@ -177,12 +182,13 @@ The TIPC is a protocol that is specially designed for intra-cluster communicatio
 Add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):
 
 install tipc /bin/false
-blacklist tipcVerify that OL 9 disables the ability to load the tipc kernel module with the following command:
+blacklist tipcVerify OL 9 disables the ability to load the tipc kernel module with the following command:
 
-$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d/* 
-blacklist tipc
+$ grep -irs tipc /etc/modprobe.conf /etc/modprobe.d/*
+/etc/modprobe.d/tipc.conf:install tipc /bin/false
+/etc/modprobe.d/tipc.conf:blacklist tipc
 
-If the command does not return any output, or the line is commented out, and use of TIPC is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000045OL 9 must disable mounting of cramfs.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the command does not return any output, or the line is commented out, and use of TIPC is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000045OL 9 must disable mounting of cramfs.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
 
 Removing support for unneeded filesystem types reduces the local attack surface of the server.
 
@@ -193,21 +199,13 @@ Add the following line to the file /etc/modprobe.d/cramfs.conf (or create blackl
 install cramfs /bin/false
 blacklist cramfs
 
-Reboot the system for the settings to take effect.Verify that OL 9 disables the ability to load the cramfs kernel module with the following command:
-
-$ grep -ri cramfs /etc/modprobe.d/* | grep -i "/bin/false"
-install cramfs /bin/false
-
-If the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
+Reboot the system for the settings to take effect.Verify OL 9 disables the ability to load the cramfs kernel module with the following command:
 
-Verify the operating system disables the ability to use the cramfs kernel module.
+$ grep -irs cramfs /etc/modprobe.conf /etc/modprobe.d/*
+/etc/modprobe.d/blacklist.conf:install cramfs /bin/false
+/etc/modprobe.d/blacklist.conf:blacklist cramfs
 
-Determine if the cramfs kernel module is disabled with the following command:
-
-$ grep -ri cramfs /etc/modprobe.d/* | grep -i "blacklist"
-blacklist cramfs
-
-If the command does not return any output or the output is not "blacklist cramfs", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000046OL 9 Bluetooth must be disabled.<VulnDiscussion>This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
+If the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>OL09-00-000046OL 9 Bluetooth must be disabled.<VulnDiscussion>This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 9 operating system.
 
 Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000381CCI-001443Configure OL 9 to disable the Bluetooth adapter when not in use.
 
@@ -235,7 +233,7 @@ $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d/*
 install usb-storage /bin/false
 blacklist usb-storage
 
-If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000050OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes.<VulnDiscussion>Having a nondefault grub superuser username makes password-guessing attacks less effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000213Configure OL 9 to have a unique username for the grub superuser account.
+If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-000050OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes.<VulnDiscussion>Having a nondefault grub superuser username makes password-guessing attacks less effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000213Configure OL 9 to have a unique username for the grub superuser account.
 
 Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
 
@@ -773,7 +771,7 @@ List files on the system that have file hashes different from what is expected b
 
 $ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' 
 
-If there is output, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>OL09-00-000244OL 9 cryptographic policy files must match files shipped with the operating system.<VulnDiscussion>The OL 9 package crypto-policies defines the cryptography policies for the system.
+If there is output, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>OL09-00-000244OL 9 cryptographic policy files must match files shipped with the operating system.<VulnDiscussion>The OL 9 package crypto-policies defines the cryptography policies for the system.
 
 If the files are changed from those shipped with the operating system, it may be possible for OL 9 to use cryptographic functions that are not FIPS 140-3 approved.
 
@@ -2352,7 +2350,7 @@ $ sudo service auditd restartSRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>OL09-00-000710OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+If the command does not return an audit rule for umount or any of the lines returned are commented out, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>OL09-00-000710OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
 
 Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
 
@@ -2360,7 +2358,7 @@ It is not uncommon for attackers to replace the audit tools or inject code into
 
 To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
 
-Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001493CCI-001494CCI-001495CCI-001496Configure OL 9 to protect the integrity of the audit tools.
+Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001493CCI-001494CCI-001495CCI-001496Configure OL 9 to protect the integrity of the audit tools.
 
 Add or update the following lines to /etc/aide.conf:
  
@@ -2369,8 +2367,7 @@ Add or update the following lines to /etc/aide.conf:
 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that OL 9 uses cryptographic mechanisms to protect the integrity of the audit tools with the following command:
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify OL 9 uses cryptographic mechanisms to protect the integrity of the audit tools with the following command:
 
 $ sudo cat /etc/aide.conf | grep /usr/sbin/au
 /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
@@ -2378,7 +2375,6 @@ $ sudo cat /etc/aide.conf | grep /usr/sbin/au
 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
  
 If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system.
@@ -2768,7 +2764,7 @@ $ sudo service auditd restartSRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL09-00-000840OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL09-00-000840OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
 
 Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000130CCI-000169CCI-002884CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
 
@@ -2777,17 +2773,13 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO
 The audit daemon must be restarted for the changes to take effect.
 
 Restart auditd:
-$ sudo service auditd restartVerify that OL 9 generates an audit record for all uses of the umount system call with the following commands:
-
-$ sudo grep "umount" /etc/audit/audit.* 
+$ sudo service auditd restartVerify OL 9 is configured to audit the execution of the "umount" command with the following command:
 
-$ sudo grep umount /etc/audit/audit.rules
- 
-If the system is configured to audit this activity, it will return a line like the following:
+$ sudo auditctl -l | grep umount
 
--a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount
 
-If the command does not return a line or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL09-00-000845OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
+If the command does not return an audit rule for "umount" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL09-00-000845OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
 
 Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000130CCI-000169CCI-002884CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount2 system call by adding the following rules to a rules file in /etc/audit/rules.d/ directory: (Example /etc/audit/rules.d/audit.rules)
 
@@ -2797,15 +2789,14 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO
 The audit daemon must be restarted for the changes to take effect.
 
 Restart auditd:
-$ sudo service auditd restartVerify that OL 9 generates an audit record for all uses of the umount2 system call with the following commands:
+$ sudo service auditd restartVerify OL 9 generates an audit record for all uses of the umount2 system call with the following commands:
 
-$ sudo grep "umount2" /etc/audit/audit.rules 
+$ sudo auditctl -l | grep umount2
 
-$ sudo sh -c 'grep "umount2" /etc/audit/audit.rules' 
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount
 
-If the system is configured to audit this activity, it will return a line.
-
-If no line is returned, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>OL09-00-000850OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.<VulnDiscussion>To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
+If the command does not return an audit rule for "umount2" or any of the lines returned are commented out, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>OL09-00-000850OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.<VulnDiscussion>To ensure OL 9 systems have a sufficient storage capacity in which to write the audit logs, OL 9 needs to be able to allocate audit record storage capacity.
 
 The task of allocating audit record storage capacity is usually performed during initial installation of OL 9.
 
@@ -3342,7 +3333,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
 
 $ grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
 
-If output is produced, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-001115OL 9 must require a boot loader superuser password.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+If output is produced, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL09-00-001115OL 9 must require a boot loader superuser password.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
 
 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000213Configure OL 9 to require a grub bootloader password for the grub superuser account.
 
@@ -3404,16 +3395,7 @@ $ sudo systemctl mask --now autofs.serviceSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002010OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to authenticate the remote mount request more securely.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
-
-Ensure the "sec" option is defined as "krb5p:krb5i:krb5".If no NFS mounts are configured, this requirement is Not Applicable.
-
-Verify that OL 9 has the "sec" option configured for all NFS mounts with the following command:
-
-$ cat /etc/fstab | grep nfs
-192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5p:krb5i:krb5
-
-If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002011OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS.If no NFS mounts are configured, this requirement is Not Applicable.
+If the returned value is not "masked" and is not documented as operational requirement with the information system security officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002011OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS.If no NFS mounts are configured, this requirement is Not Applicable.
 
 Verify that OL 9 has the "nodev" option configured for all NFS mounts with the following command:
 
@@ -3467,11 +3449,11 @@ Verify that the /boot directory is mounted with the "nosuid" option with the fol
 $ mount | grep '\s/boot\s'
 /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)
 
-If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>OL09-00-002032OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001764Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
+If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>OL09-00-002032OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001764Configure OL 9 to prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
 
-Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.For systems that use BIOS, this requirement is Not Applicable.
+Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.Note: For systems using vfat file systems.or systems that use BIOS, this requirement is Not Applicable.
 
-Verify that OL 9 /boot/efi directory is mounted with the "nosuid" option with the following command:
+Verify OL 9 /boot/efi directory is mounted with the "nosuid" option with the following command:
 
 $ mount | grep '\s/boot/efi\s'
 /dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
@@ -3667,9 +3649,11 @@ Note: If a separate file system has not been created for the user home directori
 $ mount | grep /home
 tmpfs on /home type xfs (rw,nodev,nosuid,noexec,seclabel)
 
-If the "/home" file system is mounted without the "noexec" option, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002080OL 9 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
+If the "/home" file system is mounted without the "noexec" option, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002080OL 9 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
 
-The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.Verify that OL 9 prevents special devices on nonroot local partitions.
+The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.Note: This control is not applicable to vfat file systems.
+
+Verify OL 9 prevents special devices on nonroot local partitions.
 
 Verify all nonroot local partitions are mounted with the "nodev" option with the following command:
 
@@ -3755,30 +3739,30 @@ Verify that OL 9 initiates a session lock for graphical user interfaces when the
 $ gsettings get org.gnome.desktop.screensaver lock-delay
 uint32 5
 
-If the "uint32" setting is not set to "5" or less, or is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL09-00-002104OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock.
+If the "uint32" setting is not set to "5" or less, or is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL09-00-002104OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock.
 
-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000057CCI-000060Configure OL 9 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000057CCI-000060Configure OL 9 to initiate a screensaver after a 10-minute period of inactivity for graphical user interfaces.
 
-Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command:
 
 $ sudo touch /etc/dconf/db/local.d/00-screensaver
 
 Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:
 
 [org/gnome/desktop/session]
-# Set the lock time out to 900 seconds before the session is considered idle
-idle-delay=uint32 900
+# Set the lock time out to 600 seconds before the session is considered idle
+idle-delay=uint32 600
 
 Update the system databases:
 
-$ sudo dconf updateThis requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+$ sudo dconf updateThis requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
-Verify that OL 9 initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command:
+Verify OL 9 initiates a session lock after a 10-minute period of inactivity for graphical user interfaces with the following command:
 
 $ gsettings get org.gnome.desktop.session idle-delay
-uint32 900
+uint32 600
 
-If "idle-delay" is set to "0" or a value greater than "900", this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>OL09-00-002106OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.<VulnDiscussion>Setting the screensaver mode to blank-only conceals the contents of the display from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000060Configure OL 9 to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
+If "idle-delay" is set to "0" or a value greater than "600", this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>OL09-00-002106OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.<VulnDiscussion>Setting the screensaver mode to blank-only conceals the contents of the display from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000060Configure OL 9 to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
 
 The dconf settings can be edited in the /etc/dconf/db/* location.
 
@@ -4656,19 +4640,19 @@ Verify that "/etc/sudoers" has no occurrences of "!authenticate" with the follow
 
 $ sudo grep -ri '!authenticate' /etc/sudoers /etc/sudoers.d/*
 
-If any occurrences of "!authenticate" are returned, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>OL09-00-002363OL 9 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+If any occurrences of "!authenticate" are returned, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>OL09-00-002363OL 9 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
 
 When operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002234Configure OL 9 to not allow users to execute privileged actions without authenticating with a password.
 
 Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
 
-$ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*Verify that OL 9 requires users to provide a password for privilege escalation.
+$ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*Verify OL 9 requires users to provide a password for privilege escalation.
 
-Verify that "/etc/sudoers" has no occurrences of "NOPASSWD" with the following command:
+Verify "/etc/sudoers" has no occurrences of "NOPASSWD" with the following command:
 
-$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/*
+$ sudo grep -iR nopasswd /etc/sudoers /etc/sudoers.d/
 
-If any occurrences of "NOPASSWD" are returned, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>OL09-00-002364OL 9 must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002234Configure the operating system to require users to supply a password for privilege escalation.
+If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>OL09-00-002364OL 9 must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002234Configure the operating system to require users to supply a password for privilege escalation.
 
 Remove any occurrences of " pam_succeed_if " in the  "/etc/pam.d/sudo" file.Verify that OL 9 is not configured to bypass password requirements for privilege escalation with the following command:
 
@@ -4702,38 +4686,49 @@ $ sudo sysctl --systemSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002381OL 9 must disable core dump backtraces.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
+If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002381OL 9 must disable core dump backtraces.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
 
 Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the operating system to disable core dump backtraces.
 
 Add or modify the following line in /etc/systemd/coredump.conf:
 
-ProcessSizeMax=0Verify that OL 9 disables core dump backtraces by issuing the following command:
+ProcessSizeMax=0Note: If kernel dumps are disabled in accordance with OL09-00-002380, this requirement is not applicable.
+
+Verify OL 9 disables core dump backtraces by issuing the following command:
 
 $ grep -i process /etc/systemd/coredump.conf
 ProcessSizeMax=0
 
-If the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002382OL 9 must disable storing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the operating system to disable storing core dumps for all users.
+If the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002382OL 9 must disable storing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the operating system to disable storing core dumps for all users.
 
 Add or modify the following line in /etc/systemd/coredump.conf:
 
-Storage=noneVerify that OL 9 disables storing core dumps for all users by issuing the following command:
+Storage=noneNote: If kernel dumps are disabled in accordance with OL09-00-002380, this requirement is not applicable.
+
+Verify OL 9 disables storing core dumps for all users by issuing the following command:
 
 $ grep -i storage /etc/systemd/coredump.conf
 Storage=none
 
-If the "Storage" item is missing, commented out, or the value is anything other than "none" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002383OL 9 must disable core dumps for all users.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the operating system to disable core dumps for all users.
+If the "Storage" item is missing, commented out, or the value is anything other than "none" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002383OL 9 must disable core dumps for all users.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to disable core dumps for all users.
 
 Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
 
-* hard core 0Verify that OL 9 disables core dumps for all users by issuing the following command:
+* hard core 0
+
+Remove or comment out any entries for users or groups with a value set to anything other than "0".Note: If kernel dumps are disabled in accordance with OL09-00-002380, this requirement is not applicable.
+
+Verify OL 9 disables core dumps for all users by issuing the following command:
 
 $ grep -r -s core /etc/security/limits.conf /etc/security/limits.d/*.conf
+
 /etc/security/limits.conf:* hard core 0
 
 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
 
-If the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002384OL 9 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the system to disable the systemd-coredump.socket with the following command:
+If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.
+
+If entries exist for users or groups with a value set to anything other than "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002384OL 9 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure the system to disable the systemd-coredump.socket with the following command:
 
 $ sudo systemctl mask --now systemd-coredump.socket
 
@@ -4741,7 +4736,9 @@ Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
 
 Reload the daemon for this change to take effect.
 
-$ sudo systemctl daemon-reloadVerify that OL 9 is not configured to acquire, save, or process core dumps with the following command:
+$ sudo systemctl daemon-reloadNote: If kernel dumps are disabled in accordance with OL09-00-002380, this requirement is not applicable.
+
+Verify OL 9 is not configured to acquire, save, or process core dumps with the following command:
 
 $ systemctl status systemd-coredump.socket
 systemd-coredump.socket
@@ -5046,16 +5043,22 @@ declare -xr TMOUT=900SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL09-00-002412OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002235Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file:
+If "TMOUT" is not set to "900" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL09-00-002412OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002235Configure OL 9 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file:
+
+If no drop file exists, create one with the following command:
+
+$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction
+
+Edit the file to contain the setting by adding the following text:
 
 CtrlAltDelBurstAction=none
 
 Reload the daemon for this change to take effect.
 
-$ sudo systemctl daemon-reloadVerify that OL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:
+$ sudo systemctl daemon-reloadVerify OL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:
 
-$ grep -i ctrl /etc/systemd/system.conf
-CtrlAltDelBurstAction=none
+$ sudo grep -iR CtrlAltDelBurstAction /etc/systemd/system*
+/etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction:CtrlAltDelBurstAction=none
 
 If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL09-00-002413OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002235Configure OL 9 to disable the ctrl-alt-del.target with the following command:
 
@@ -5176,20 +5179,7 @@ $ sudo sysctl --systemSRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>OL09-00-002424OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.<VulnDiscussion>Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000803Configure Kerberos to use system crypto policy.
-
-Remove incorrect symlink if it exists using the following command:
-
-$ sudo rm /etc/crypto-policies/back-ends/krb5.config
-
-Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:
-
-$ sudo ln -s /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.configVerify that OL 9 configures Kerberos to use the systemwide crypto policy with the following command:
-
-$ file /etc/crypto-policies/back-ends/krb5.config
-/etc/crypto-policies/back-ends/krb5.config: symbolic link to  /usr/share/crypto-policies/FIPS/krb5.txt
-
-If the symlink does not exist or points to a different target, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002425OL 9 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Modify the postfix configuration file to restrict client connections to the local network with the following command:
+If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002425OL 9 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Modify the postfix configuration file to restrict client connections to the local network with the following command:
 
 $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Note: If postfix is not installed, this requirement is Not Applicable.
 
@@ -5222,17 +5212,7 @@ If a TFTP server is installed, check for the server arguments with the following
 $ systemctl cat tftp | grep ExecStart
 ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
 
-If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-002427OL 9 must be configured so that local initialization files do not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 so that local initialization files do not execute world-writable programs.
-
-Set the mode on files being executed by the local initialization files with the following command:
-
-$ sudo chmod 0755 <file>Verify that OL 9 is configured so that local initialization files do not execute world-writable programs with the following command:
-
-Note: The example will be for a system that is configured to create user home directories in the "/home" directory.
-
-$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; 
-
-If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL09-00-002428OL 9 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL09-00-002428OL 9 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
 
 Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-003992Configure OL 9 to prevent the loading of a new kernel for later execution.
 
@@ -5327,15 +5307,15 @@ $ sudo stat -c "%a %n" /etc/ssh/*.pub
 644 /etc/ssh/ssh_host_ed25519_key.pub
 644 /etc/ssh/ssh_host_rsa_key.pub
 
-If any key.pub file has a mode more permissive than "0644", this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002504OL 9 system commands must be group-owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+If any key.pub file has a mode more permissive than "0644", this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002504OL 9 system commands must be group-owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
 This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001499Configure the system commands to be protected from unauthorized access.
 
 Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account.
 
-$ sudo chgrp root [FILE]Verify that OL 9 system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
+$ sudo chgrp root [FILE]Verify OL 9 system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
 
-$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
+$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
 
 If any system commands are returned and is not group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002505OL 9 system commands must be owned by root.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
@@ -5378,7 +5358,7 @@ $ sudo chmod 0600 /etc/ssh/sshd_config
 $ ls -al /etc/ssh/sshd_config
 rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config
 
-If the "/etc/ssh/sshd_config" permissions are not "0600", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL09-00-002510OL 9 must be configured so that a sticky bit must be set on all public directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+If the "/etc/ssh/sshd_config" permissions are not "0600", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL09-00-002510OL 9 must be configured so that a sticky bit must be set on all public directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
 
 This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001090Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.
 
@@ -5447,17 +5427,17 @@ Note: This may miss interactive users that have been assigned a privileged user
 $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
 drwxr-x--- 2 wadea admin 4096 Jun 5 12:41 wadea
 
-If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL09-00-002516OL 9 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others.
+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL09-00-002516OL 9 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others.
 
-The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001090Configure all public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources.
+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001090Configure all OL 9 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources.
 
-Set the owner of all public directories as root or a system account using the command, replace "[Public Directory]" with any directory path not owned by root or a system account:
+Use the following command template to set ownership of public directories to root or a system account:
 
-$ sudo chown root [Public Directory]Verify that OL 9 configures world writable directories to be owned by root, a system account, or an application account with the following command. It will discover and print world-writable directories that are not owned by root. Run it once for each local partition [PART]:
+$ sudo chown [root or system account] [Public Directory]Verify OL 9 world writable directories are owned by root, a system account, or an application account with the following command:
 
-$ sudo find  [PART]  -xdev -type d -perm -0002 -uid +0 -print 
+$ sudo find / -xdev -type d -perm -0002 -uid +999 -exec stat -c "%U, %u, %A, %n" {} \; 2>/dev/null
 
-If there is output, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002520OL 9 library directories must be group-owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+If there is output that indicates world-writable directories are owned by any account other than root or an approved system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002520OL 9 library directories must be group-owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
 This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001499Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
 
@@ -5477,17 +5457,17 @@ $ sudo chown root [DIRECTORY]SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002522OL 9 library directories must have mode 755 or less permissive.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+If any system-wide shared library directory is not owned by root, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002522OL 9 library directories must have mode 755 or less permissive.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
-This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001499Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. 
+This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001499Configure the systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. 
 
 Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755.
 
-$ sudo chmod 755 [DIRECTORY]Verify that OL 9 system-wide shared library directories have mode "755" or less permissive with the following command:
+$ sudo chmod 755 [DIRECTORY]Verify OL 9 systemwide shared library directories have mode "755" or less permissive with the following command:
 
 $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec ls -l {} \;
 
-If any system-wide shared library file is found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002523OL 9 library files must be group owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+If any systemwide shared library directory is found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL09-00-002523OL 9 library files must be group owned by root or a system account.<VulnDiscussion>If OL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
 This requirement applies to OL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001499Configure the OL 9 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command:
 
@@ -6203,34 +6183,38 @@ $DefaultNetstreamDriver gtlsSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-005030OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
+If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-005030OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
 
-If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to not receive remote logs using rsyslog.
+If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to not receive remote logs using rsyslog.
 
 Remove the lines in /etc/rsyslog.conf and any files in the /etc/rsyslog.d directory that match any of the following:
-
-$ModLoad imtcp
-$ModLoad imudp
-$ModLoad imrelp
-$InputTCPServerRun [0-9]*
-$UDPServerRun [0-9]*
-$InputRELPServerRun [0-9]*
+InputTCPServerRun
+UDPServerRun
+RELPServerRun
+module(load="imtcp")
+module(load="imudp")
+module(load="imrelp")
+input(type="imudp" port="514")
+input(type="imtcp" port="514")
+input(type="imrelp" port="514")
 
 The rsyslog daemon must be restarted for the changes to take effect:
 
-$ sudo systemctl restart rsyslog.serviceVerify that OL 9 is not configured to receive remote logs using rsyslog with the following commands:
+$ sudo systemctl restart rsyslog.serviceNote: If the system administrator can demonstrate that another tool (e.g., SPLUNK) is being used to manage log offload and aggregation in lieu of rsyslog, this check is not applicable.
 
-$ grep -i modload /etc/rsyslog.conf /etc/rsyslog.d/*
-$ModLoad imtcp
-$ModLoad imrelp
+Verify OL 9 is not configured to receive remote logs using rsyslog with the following commands:
 
-$ grep -i serverrun /etc/rsyslog.conf /etc/rsyslog.d/*
-$InputTCPServerRun 514
-$InputRELPServerRun 514
+$ ss -tulnp | grep rsyslog
 
-Note: An error about no files or directories may be returned. This is not a finding.
+If no output is returned, rsyslog is not listening for remote messages, and is compliant.
 
-If any lines are returned by the command, then rsyslog is configured to receive remote messages, and this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>OL09-00-006000OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+If output appears, check for configured ports (514 is the default for syslog).
+
+Check for remote logging configuration in rsyslog by examining the rsyslog configuration files:
+
+$ sudo grep -E 'InputTCPServerRun | UDPServerRun | RELPServerRun | imtcp | imudp | imrelp' /etc/rsyslog.conf /etc/rsyslog.d/*
+
+If this command returns uncommented lines enabling network listeners, the system is accepting remote logs. If this system is not documented and authorized as a log aggregation server, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>OL09-00-006000OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
 
 This requirement addresses the configuration of OL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-002385Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf":
 
@@ -6382,7 +6366,7 @@ Check the value of the accept source route variable with the following command:
 $ sysctl net.ipv4.conf.default.log_martians
 net.ipv4.conf.default.log_martians = 1
 
-If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006024OL 9 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to use reverse path filtering on all IPv4 interfaces. 
+If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006024OL 9 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to use reverse path filtering on all IPv4 interfaces. 
 
 Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
@@ -6390,11 +6374,11 @@ net.ipv4.conf.all.rp_filter = 1
 
 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
 
-$ sudo sysctl --systemVerify that OL 9 uses reverse path filtering on all IPv4 interfaces with the following commands:
-
-$ sysctl net.ipv4.conf.all.rp_filter
-net.ipv4.conf.all.rp_filter = 1
-
+$ sudo sysctl --systemVerify OL 9 uses reverse path filtering on all IPv4 interfaces with the following commands:
+
+$ sysctl net.ipv4.conf.all.rp_filter
+net.ipv4.conf.all.rp_filter = 1
+
 If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006025OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
 
 This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to prevent IPv4 ICMP redirect messages from being accepted.
@@ -6429,7 +6413,7 @@ Check the value of the accept source route variable with the following command:
 $ sysctl net.ipv4.conf.default.accept_source_route
 net.ipv4.conf.default.accept_source_route = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006027OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to use reverse path filtering on IPv4 interfaces by default.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006027OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to use reverse path filtering on IPv4 interfaces by default.
 
 Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
 
@@ -6437,11 +6421,11 @@ net.ipv4.conf.default.rp_filter = 1
 
 Load settings from all system configuration files with the following command:
 
-$ sudo sysctl --systemVerify that OL 9 uses reverse path filtering on IPv4 interfaces with the following commands:
-
-$ sysctl net.ipv4.conf.default.rp_filter
-net.ipv4.conf.default.rp_filter = 1
-
+$ sudo sysctl --systemVerify OL 9 uses reverse path filtering on IPv4 interfaces with the following commands:
+
+$ sysctl net.ipv4.conf.default.rp_filter
+net.ipv4.conf.default.rp_filter = 1
+
 If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL09-00-006028OL 9 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-000366Configure OL 9 to not allow IPv4 packet forwarding unless the system is a router.
 
 Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:
@@ -6746,4 +6730,16 @@ $ sudo auditctl -l | grep /etc/cron.d
 $ sudo auditctl -l | grep /var/spool/cron
 -w /var/spool/cron -p wa -k cronjobs
 
-If either of these commands do not return the expected output, or the lines are commented out, this is a finding.
\ No newline at end of file
+If either of these commands do not return the expected output, or the lines are commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>OL09-00-002376OL 9 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 9DISADPMS TargetOracle Linux 95680CCI-001134Configure OL 9 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:
+
+StopIdleSessionSec=600
+
+The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command:
+
+$ sudo systemctl restart systemd-logindVerify that OL 9 logs out sessions that are idle for 10 minutes with the following command:
+
+$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf
+
+StopIdleSessionSec=600
+
+If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding.
\ No newline at end of file

From e438b4c134ea4336c350bcaf5f79b4b3776d04b4 Mon Sep 17 00:00:00 2001
From: Armando Acosta 
Date: Wed, 18 Feb 2026 10:45:02 -0600
Subject: [PATCH 137/265] Add conflict statement to coredump rules for OL

The following note was added in OL8 STIG V2R7 for OL08-00-010672 to OL08-00-010675
Note: If kernel dumps are disabled in accordance with OL08-00-010671, this requirement is not applicable.

The following note was added in OL9 STIG V1R4 for OL09-00-002381 to OL09-00-002384
Note: If kernel dumps are disabled in accordance with OL09-00-002380, this requirement is not applicable.

So we will just conflict all other rules with first.

Signed-off-by: Armando Acosta 
---
 .../restrictions/coredumps/coredump_disable_backtraces/rule.yml | 2 +-
 .../restrictions/coredumps/coredump_disable_storage/rule.yml    | 2 +-
 .../restrictions/coredumps/disable_users_coredumps/rule.yml     | 2 +-
 .../coredumps/service_systemd-coredump_disabled/rule.yml        | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
index 99fbd8321d5d..5db74d51bd52 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -66,7 +66,7 @@ warnings:
 
 platform: package[systemd]
 
-{{% if product in ["rhel8", "rhel9"] %}}
+{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
 conflicts:
     - sysctl_kernel_core_pattern
 {{% endif %}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
index bd826b199009..793680264655 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -63,7 +63,7 @@ warnings:
 
 platform: package[systemd]
 
-{{% if product in ["rhel8", "rhel9"] %}}
+{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
 conflicts:
     - sysctl_kernel_core_pattern
 {{% endif %}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
index 9f457c1f838b..c7f0e9bc4e9f 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
@@ -56,7 +56,7 @@ srg_requirement: '{{{ full_name }}} must disable core dumps for all users.'
 
 platform: package[pam]
 
-{{% if product in ["rhel8", "rhel9"] %}}
+{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
 conflicts:
     - sysctl_kernel_core_pattern
 {{% endif %}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
index 58b2fe312066..296ea17c8df0 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -45,7 +45,7 @@ fixtext: '{{{ fixtext_service_disabled("systemd-coredump") }}}'
 
 srg_requirement: '{{{ srg_requirement_service_disabled("systemd-coredump") }}}'
 
-{{% if product in ["rhel8", "rhel9"] %}}
+{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
 conflicts:
     - sysctl_kernel_core_pattern
 {{% endif %}}

From b5fea196b248ebb8a65fef9ca3454d7cd37497d3 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 19 Feb 2026 08:36:45 +0200
Subject: [PATCH 138/265] Change pam_options template to support pam
 configuration in /usr and /etc directories In SLE16 it is the case the
 distribution default configuration comes in /usr subdirs and system-wide
 custom configuration sits in /etc so we need to handle both in the template -
 add ability to specify the external variable name to template - add ability
 to specify variable type: integer or string - for now this template is only
 used for 2 rules: use_pam_wheel_for_su and use_pam_wheel_group_for_su, but
 the approach needs to be applied to other PAM related rules

---
 shared/templates/pam_options/ansible.template | 36 ++++---
 shared/templates/pam_options/bash.template    | 16 ++-
 shared/templates/pam_options/oval.template    | 97 +++++++++++++++++--
 3 files changed, 124 insertions(+), 25 deletions(-)

diff --git a/shared/templates/pam_options/ansible.template b/shared/templates/pam_options/ansible.template
index 5308b0625466..8da6a86a3fbc 100644
--- a/shared/templates/pam_options/ansible.template
+++ b/shared/templates/pam_options/ansible.template
@@ -10,13 +10,14 @@
 # updated the Ansible pamd module to do that, we will need to use regexp
 # for now.
 
-
-# declare the XCCDF vars if any
-{{% for arg in ARGUMENTS %}}
-{{% if arg['variable']|length %}}
-- (xccdf-var var_password_pam_{{{ arg['variable'] }}})
+{{% if product == 'sle16' %}}
+- name: Copy default /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }} to {{{ PATH }}}
+  ansible.builtin.copy:
+    src: /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }}
+    dest: {{{ PATH }}}
+    force: no
+    mode: '0644'
 {{% endif %}}
-{{% endfor %}}
 
 - name: Set control_flag fact
   ansible.builtin.set_fact:
@@ -33,7 +34,7 @@
     path: {{{ PATH }}}
     line: '{{{ TYPE }}} {{{ CONTROL_FLAG }}} {{{ MODULE }}}'
     state: present
-  when: check_pam_module_result.stdout is defined and '"{{{ MODULE }}}" not in check_pam_module_result.stdout'
+  when: check_pam_module_result is not skipped and check_pam_module_result.stdout is defined and "{{{ MODULE }}}" not in check_pam_module_result.stdout
 
 - name: Ensure '{{{ MODULE }}}' module has conforming control flag
   ansible.builtin.lineinfile:
@@ -41,7 +42,7 @@
     regexp: '^(\s*{{{ TYPE }}}\s+)\S+(\s+{{{ MODULE }}}\s+.*)'
     line: '\g<1>{{{ CONTROL_FLAG }}}\g<2>'
     backrefs: yes
-  when: control_flag|length
+  when: check_pam_module_result is not skipped and control_flag|length
 
 {{% for arg in ARGUMENTS %}}
 # NOTE: if 'remove_argument' is present and set to some value, we assume
@@ -56,13 +57,22 @@
 {{% elif arg['variable']|length %}}
 # NOTE(gyee): if 'var' is used, user is meant to set the argument to a
 # static value
+{{% if arg['variable_name'] %}}
+{{% set pam_variable_name = arg['variable_name'] %}}
+{{% else %}}
+{{% set pam_variable_name = "var_password_pam_" + arg['variable'] %}}
+{{% endif %}}
+{{{ ansible_instantiate_variables(pam_variable_name) }}}
+
+{{% set pam_variable_value = "{{ " + pam_variable_name + " }}" %}}
 
-- name: Ensure "{{{ MODULE }}}" module has argument "{{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}"
+- name: Ensure "{{{ MODULE }}}" module has argument "{{{ arg['variable'] }}}={{{ pam_variable_value }}}"
   ansible.builtin.lineinfile:
     path: {{{ PATH }}}
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}(?:\s+\S+)*\s+{{{ arg['variable'] }}}=)(?:\S+)((\s+\S+)*\s*\\*\s*)$'
-    line: '\g<1>{{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
+    line: '\g<1>{{{ pam_variable_value }}}\g<2>'
     backrefs: yes
+  when: check_pam_module_result is not skipped
 
 - name: Check the presence of "{{{ arg['variable'] }}}" argument in "{{{ MODULE }}}" module
   ansible.builtin.shell: |
@@ -74,9 +84,9 @@
   ansible.builtin.lineinfile:
     path: {{{ PATH }}}
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
-    line: '\g<1> {{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
+    line: '\g<1> {{{ arg['variable'] }}}={{{ pam_variable_value }}}\g<2>'
     backrefs: yes
-  when: check_pam_module_argument_result is not skipped and '"{{{ arg['variable'] }}}" not in check_pam_module_argument_result.stdout'
+  when: check_pam_module_argument_result is not skipped and "{{{ arg['variable'] }}}" not in check_pam_module_argument_result.stdout
 {{% else %}}
 - name: Set argument_value fact
   ansible.builtin.set_fact:
@@ -102,6 +112,6 @@
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
     line: '\g<1> {{{ arg['new_argument'] }}}\g<2>'
     backrefs: yes
-  when: check_pam_module_argument_result is not skipped and '"{{{ arg['argument'] }}}" not in check_pam_module_argument_result.stdout'
+  when: check_pam_module_argument_result is not skipped and "{{{ arg['argument'] }}}" not in check_pam_module_argument_result.stdout
 {{% endif %}}
 {{% endfor %}}
diff --git a/shared/templates/pam_options/bash.template b/shared/templates/pam_options/bash.template
index 49b717c6cb45..a3b4ca92863a 100644
--- a/shared/templates/pam_options/bash.template
+++ b/shared/templates/pam_options/bash.template
@@ -10,10 +10,22 @@ declare -a ARGS=()
 declare -a NEW_ARGS=()
 declare -a DEL_ARGS=()
 
+{{% if product == 'sle16' %}}
+PAM_DEFAULTS_FILE_NAME="/usr/lib/pam.d/$(basename "{{{ PATH }}}")"
+if ! [ -e "{{{ PATH }}}" ] ; then
+    cp "${PAM_DEFAULTS_FILE_NAME}" "{{{ PATH }}}"
+fi
+{{% endif %}}
+
 {{% for arg in ARGUMENTS -%}}
 {{% if arg['variable'] | length -%}}
-{{{ bash_instantiate_variables("var_password_pam_" + arg['variable']) }}}
-VALUES+=("${{{ "var_password_pam_" + arg['variable'] }}}")
+{{% if arg['variable_name'] %}}
+{{% set pam_variable_name = arg['variable_name'] %}}
+{{% else %}}
+{{% set pam_variable_name = "var_password_pam_" + arg['variable'] %}}
+{{% endif %}}
+{{{ bash_instantiate_variables(pam_variable_name) }}}
+VALUES+=("${{{ pam_variable_name }}}")
 VALUE_NAMES+=("{{{ arg['variable'] }}}")
 {{%- else %}}
 VALUES+=("")
diff --git a/shared/templates/pam_options/oval.template b/shared/templates/pam_options/oval.template
index e517a837f463..9751c025adb6 100644
--- a/shared/templates/pam_options/oval.template
+++ b/shared/templates/pam_options/oval.template
@@ -4,22 +4,63 @@
    {{% set MATCH_CONTROL_FLAG = '\S+' %}}
 {{% endif %}}
 
+{{% if product == 'sle16' %}}
+{{% set PAM_VENDOR_FILE = "/usr/lib/pam.d/" + PATH.split('/') | last %}}
+{{% endif %}}
+
 
   
     {{{ oval_metadata("Configure PAM module", rule_title=rule_title) }}}
-    
-{{% for arg in ARGUMENTS %}}
-{{% if arg['variable']|length %}}
-      
+{{% if product == 'sle16' %}}
+    
+      
+            
+        {{% for arg in ARGUMENTS %}}
+        {{% if arg['variable']|length %}}
+            
+        {{% else %}}
+            
+        {{% endif %}}
+        {{% endfor %}}
+      
+        
+            {{{ oval_config_file_exists_criterion(PATH, rule_id=rule_id) }}}
+        {{% for arg in ARGUMENTS %}}
+        {{% if arg['variable']|length %}}
+            
+        {{% else %}}
+            
+        {{% endif %}}
+        {{% endfor %}}
+      
+    
 {{% else %}}
-      
-{{% endif %}}
-{{% endfor %}}
+    
+    {{% for arg in ARGUMENTS %}}
+    {{% if arg['variable']|length %}}
+        
+    {{% else %}}
+        
+    {{% endif %}}
+    {{% endfor %}}
     
+{{% endif %}}
   
 
+{{% if product == 'sle16' %}}
+{{{ oval_config_file_exists_test(PATH, rule_id=rule_id) }}}
+{{{ oval_config_file_exists_object(PATH, rule_id=rule_id) }}}
+{{% endif %}}
+
 {{% for arg in ARGUMENTS %}}
 {{% if arg['variable']|length %}}
+{{% if arg['variable_name'] %}}
+{{% set pam_variable_name = arg['variable_name'] %}}
+{{% else %}}
+{{% set pam_variable_name = "var_password_pam_" + arg['variable'] %}}
+{{% endif %}}
+
+
   
@@ -29,15 +70,33 @@
 
   
     {{{ PATH }}}
-    ^\s*{{{ TYPE }}}\s+{{{ MATCH_CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s{{{ arg['variable'] }}}=(-?\d+)(?:\s+.*)?
+    ^\s*{{{ TYPE }}}\s+{{{ MATCH_CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s{{{ arg['variable'] }}}=(-?[a-zA-Z0-9]+)(?:\s+.*)?
     1
   
 
   
-    
+    
   
 
-  
+  
+
+{{% if product == 'sle16' %}}
+  
+    
+    
+  
+
+  
+    {{{ PAM_VENDOR_FILE }}}
+    ^\s*{{{ TYPE }}}\s+{{{ MATCH_CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s{{{ arg['variable'] }}}=(-?[a-zA-Z0-9]+)(?:\s+.*)?
+    1
+  
+{{% endif %}}
+
+
 {{% else %}}
   1
   
+
+{{% if product == 'sle16' %}}
+  
+    
+  
+
+  
+    {{{ PAM_VENDOR_FILE }}}
+{{% if arg['argument_match']|length %}}
+    ^\s*{{{ TYPE }}}(?:(?!\n)\s)+{{{ MATCH_CONTROL_FLAG }}}(?:(?!\n)\s)+{{{ MODULE }}}((?!\n)\s[^\n]+)?(?!\n)\s+{{{ arg['argument'] }}}={{{ arg['argument_match'] }}}((\s+\S+)*\s*\\*\s*)$
+{{% else %}}
+    ^\s*{{{ TYPE }}}(?:(?!\n)\s)+{{{ MATCH_CONTROL_FLAG }}}(?:(?!\n)\s)+{{{ MODULE }}}((?!\n)\s[^\n]+)?(?!\n)\s+{{{ arg['argument'] }}}((\s+\S+)*\s*\\*\s*)$
+{{% endif %}}
+    1
+  
+{{% endif %}}
 {{% endif %}}
 {{% endfor %}}
 

From 3c613e482bb8799c216bc85416f09f6608b58475 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 19 Feb 2026 08:46:44 +0200
Subject: [PATCH 139/265] Apply the pam_options template for
 use_pam_wheel_for_su and use_pam_wheel_group_for_su

---
 .../use_pam_wheel_for_su/ansible/shared.yml   | 11 -------
 .../use_pam_wheel_for_su/bash/shared.sh       |  4 ---
 .../use_pam_wheel_for_su/oval/shared.xml      | 21 -------------
 .../root_logins/use_pam_wheel_for_su/rule.yml | 11 +++++++
 .../ansible/shared.yml                        | 14 ---------
 .../use_pam_wheel_group_for_su/bash/shared.sh | 15 ---------
 .../oval/shared.xml                           | 31 -------------------
 .../use_pam_wheel_group_for_su/rule.yml       | 17 +++++++++-
 8 files changed, 27 insertions(+), 97 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
deleted file mode 100644
index b6f60d4bc946..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-
-- name: "Restrict usage of su command only to members of wheel group"
-  ansible.builtin.replace:
-    path: "/etc/pam.d/su"
-    regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
-    replace: "auth             required        pam_wheel.so use_uid"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
deleted file mode 100644
index 5bd381d1210f..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux
-
-# uncomment the option if commented
-sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
deleted file mode 100644
index d7932de398fd..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-
-  
-    {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.", rule_title=rule_title) }}}
-    
-      
-    
-  
-
-  
-    
-  
-
-  
-    /etc/pam.d/su
-    ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+\buse_uid\b
-    1
-  
-
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index 6c0ca626469e..ad32af129980 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -61,3 +61,14 @@ vuldiscussion: |-
     When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
 
 platform: package[pam]
+
+template:
+  name: pam_options
+  vars:
+    path: /etc/pam.d/su
+    type: auth
+    control_flag: required
+    module: pam_wheel.so
+    arguments:
+      - argument: use_uid
+        new_argument: use_uid
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
deleted file mode 100644
index 6d79f4e9d2de..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-
-{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}}
-
-- name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file
-  ansible.builtin.lineinfile:
-    path: "/etc/pam.d/su"
-    state: present
-    regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$'
-    line: "auth             required        pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }}"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
deleted file mode 100644
index 35df572f9f8d..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian
-{{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
-
-PAM_CONF=/etc/pam.d/su
-
-pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
-if [ -z "$pamstr" ]; then
-    sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
-    sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth             required        pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
-else
-    group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
-    if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then
-        sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF}
-    fi
-fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml
deleted file mode 100644
index b841da12e366..000000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-
-  
-    {{{ oval_metadata("Only members of the group set in variable 'var_pam_wheel_group_for_su' should be able to authenticate through the su command.", rule_title=rule_title) }}}
-    
-      
-    
-  
-
-  
-    
-    
-  
-
-  
-    /etc/pam.d/su
-    ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*)
-    1
-  
-
-  
-    
-  
-
-  
-
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml
index 3d00846e44a7..d1cf0a7ad598 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml
@@ -37,9 +37,24 @@ ocil: |-
     Run the following command to check if the line is present:
     
grep pam_wheel /etc/pam.d/su

     The output should contain the following line:
-    
auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su") }}}

+    
auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su.var") }}}

 
 warnings:
     - general: |-
         Note that ensure_pam_wheel_group_empty rule complements this requirement by
         ensuring the referenced group exists and has no members.
+
+template:
+  name: pam_options
+  vars:
+    path: /etc/pam.d/su
+    type: auth
+    control_flag: required
+    module: pam_wheel.so
+    arguments:
+      - variable: group
+        variable_name: var_pam_wheel_group_for_su
+        operation: equals
+        datatype: string
+      - argument: use_uid
+        new_argument: use_uid

From b3c23bfd86b2aa1052825eb8a8c764b099dcb931 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 19 Feb 2026 11:00:09 +0200
Subject: [PATCH 140/265] Make sure that the tests don't fail because we are
 trying to remove non-installed package

---
 shared/macros/10-bash.jinja | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7a92cfd8cdb7..e03780a9539f 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -500,7 +500,9 @@ fi
 {{%- elif pkg_manager == "apt_get" -%}}
 DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "{{{ package }}}"
 {{%- elif pkg_manager == "zypper" -%}}
-zypper remove -y "{{{ package }}}"
+if rpm -q --quiet "{{{ package }}}" ; then
+   zypper remove -y "{{{ package }}}"
+fi
 {{%- else -%}}
 {{{ die("Can't generate a remediation for " + pkg_manager) }}}
 {{%- endif -%}}

From f54fe33bcfbb0c0b24296e3f900ed641a9f4517e Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Thu, 19 Feb 2026 10:35:22 +0100
Subject: [PATCH 141/265] Add rules to Ubuntu 22.04 STIG to align with V2R7

- UBTU-22-211000: Ubuntu 22.04 LTS must be a vendor-supported release.
- UBTU-22-254010: Ubuntu 22.04 LTS must have the "SSSD" package installed.
- UBTU-22-254015: Ubuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.
- UBTU-22-254020: Ubuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
- UBTU-22-254030: Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
- UBTU-22-654224: The operating system must restrict privilege elevation to authorized personnel.
---
 controls/stig_ubuntu2204.yml                  | 52 +++++++++++++++++++
 .../oval/shared.xml                           |  1 +
 2 files changed, 53 insertions(+)

diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index 0f6b991ab240..450acb9fb5ea 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -14,6 +14,14 @@ reference_type: stigid
 product: ubuntu2204
 
 controls:
+    - id: UBTU-22-211000
+      title: Ubuntu 22.04 LTS must be a vendor-supported release.
+      levels:
+          - high
+      rules:
+          - installed_OS_is_vendor_supported
+      status: automated
+
     - id: UBTU-22-211015
       title: Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
       levels:
@@ -474,6 +482,42 @@ controls:
           - sysctl_net_ipv4_tcp_syncookies
       status: automated
 
+    - id: UBTU-22-254010
+      title: Ubuntu 22.04 LTS must have the "SSSD" package installed.
+      levels:
+          - medium
+      rules:
+          - package_nss_sss_installed
+          - package_pam_sss_installed
+          - package_sssd_installed
+      status: automated
+
+    - id: UBTU-22-254015
+      title: Ubuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.
+      levels:
+          - medium
+      rules:
+          - service_sssd_enabled
+      status: automated
+
+    - id: UBTU-22-254020
+      title: Ubuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
+      levels:
+          - medium
+      rules:
+          - sssd_enable_pam_services
+          - sssd_enable_smartcards
+          - sssd_certification_path_trust_anchor
+      status: automated
+
+    - id: UBTU-22-254030
+      title: Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
+      levels:
+          - medium
+      rules:
+          - sssd_enable_user_cert
+      status: automated
+
     - id: UBTU-22-255010
       title: Ubuntu 22.04 LTS must have SSH installed.
       levels:
@@ -1602,6 +1646,14 @@ controls:
           - audit_rules_sudoers
       status: automated
 
+    - id: UBTU-22-654224
+      title: The operating system must restrict privilege elevation to authorized personnel.
+      levels:
+          - medium
+      rules:
+          - sudo_restrict_privilege_elevation_to_authorized
+      status: automated
+
     - id: UBTU-22-654225
       title: Ubuntu 22.04 LTS must generate audit records when successful/unsuccessful attempts to modify
           the /etc/sudoers.d directory occur.
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
index a028877c12a7..5d86a46a2388 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
@@ -16,6 +16,7 @@
       
       
       
+      
       
     
   

From ee951b2ca2e79a86ed1b1838464db766d9bf6d35 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sat, 14 Feb 2026 17:36:30 +0200
Subject: [PATCH 142/265] Fix oval failure in case of locked users

---
 .../oval/shared.xml                           | 27 ++++++++++++++++---
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
index c1276fa340e1..2fa2d3e58eb4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
@@ -1,16 +1,35 @@
 
   
-    {{{ oval_metadata("Only the root account should be assigned a user id of 0.", rule_title=rule_title) }}}
+    {{{ oval_metadata("Only the root account should be assigned a user id of 0, or the account must be locked.", rule_title=rule_title) }}}
     
       
     
   
-  
+
+  
     
+    
   
+
   
     /etc/passwd
-    ^(?!root:)[^:]*:[^:]*:0
-    1
+    ^(?!root:)([^:]+):[^:]+:0:.*$
+    1
   
+
+  
+    /etc/shadow
+    ^([^:]+):[!*][^:]*:.*$
+    1
+  
+
+  
+    
+  
+
+  
+    
+  
 

From 7465fcafe5cbae4ab08e67c6c0a303f625159f6e Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Wed, 18 Feb 2026 23:45:17 +0200
Subject: [PATCH 143/265] Add and fix tests to cover locked user

---
 .../tests/locked_user_uid_0.pass.sh                        | 7 +++++++
 .../tests/other_user_uid_0.fail.sh                         | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh
new file mode 100644
index 000000000000..e49712ca010d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+useradd --non-unique --uid 0 rootlocked
+# configure password, otherwise user is locked
+echo "rootlocked:password" | chpasswd
+passwd -l rootlocked
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh
index aec75bd0ed52..1c3ada03bc0b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
+# platform = multi_platform_all
 #
-# Remediation doesn't fix the rule, only locks passwords
-# of non-root accounts with uid 0.
-# remediation = none
 
 useradd --non-unique --uid 0 root2
+# configure password, otherwise user is locked
+echo "root2:password" | chpasswd

From f1bb719e4c7fc4aaa7418ff8edfaacc0578e824f Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 19 Feb 2026 00:30:44 +0200
Subject: [PATCH 144/265] Update rule with the option that account is locked

---
 .../root_logins/accounts_no_uid_except_zero/rule.yml      | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
index 091ca1a70df8..5293b2a6695f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
@@ -4,8 +4,8 @@ title: 'Verify Only Root Has UID 0'
 
 description: |-
     If any account other than root has a UID of 0, this misconfiguration should
-    be investigated and the accounts other than root should be removed or have
-    their UID changed.
+    be investigated and the accounts other than root should be removed, locked
+    or have their UID changed.
     

     If the account is associated with system commands or applications the UID
     should be changed to one greater than "0" but less than "{{{ uid_min }}}."
@@ -60,12 +60,14 @@ ocil: |-
     following command:
     
$ awk -F: '$3 == 0 {print $1}' /etc/passwd

     
root

+    Also make sure that if non-root account with UID "0" exist, it is locked:
+    
$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow

 
 fixtext: |-
     Change the UID of any account on the system, other than root, that has a UID of "0".
     If the account is associated with system commands or applications, the UID
     should be changed to one greater than "0" but less than "{{{ uid_min }}}". Otherwise,
-    assign a UID of greater than "{{{ uid_min }}}" that has not already been assigned.
+    assign a UID of greater than "{{{ uid_min }}}" that has not already been assigned or locked.
 
 srg_requirement: 'The root account must be the only account having unrestricted access to the {{{ full_name }}} system.'
 

From f9e0fdd8167d69e0a02a1919002e75685182a632 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 19 Feb 2026 19:20:36 +0200
Subject: [PATCH 145/265] Fix ansible call rejectattr to match exactly root
 user

Big thanks to @jan-cerny for catching possible vulnerability :bow:
---
 .../root_logins/accounts_no_uid_except_zero/ansible/shared.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml
index 1fc2e85742bb..ce2102fc53d0 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml
@@ -11,5 +11,5 @@
 
 - name: Lock the password of the user accounts other than root with uid 0
   ansible.builtin.command: passwd -l {{ item.key }}
-  loop: "{{ getent_passwd | dict2items | rejectattr('key', 'search', 'root') | list }}"
+  loop: "{{ getent_passwd | dict2items | rejectattr('key', 'equalto', 'root') | list }}"
   when: item.value.1  == '0'

From fbc150677bcd9d14babfc93f9b4f8d46cc4c36a2 Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 10:56:12 -0600
Subject: [PATCH 146/265] Bump CIS OpenShift version from 1.7.0 to 1.9.0

Version 1.9.0 was released last month. Let's update the profile to match
the latest version.

Assisted-By: Claude Opus 4.6
---
 products/ocp4/profiles/cis-1-7.profile      |  2 ++
 products/ocp4/profiles/cis-1-9.profile      | 37 +++++++++++++++++++++
 products/ocp4/profiles/cis-node-1-7.profile |  2 ++
 products/ocp4/profiles/cis-node-1-9.profile | 31 +++++++++++++++++
 products/ocp4/profiles/cis-node.profile     |  6 ++--
 products/ocp4/profiles/cis.profile          |  6 ++--
 6 files changed, 78 insertions(+), 6 deletions(-)
 create mode 100644 products/ocp4/profiles/cis-1-9.profile
 create mode 100644 products/ocp4/profiles/cis-node-1-9.profile

diff --git a/products/ocp4/profiles/cis-1-7.profile b/products/ocp4/profiles/cis-1-7.profile
index 9ca64c32198a..f26be121c46d 100644
--- a/products/ocp4/profiles/cis-1-7.profile
+++ b/products/ocp4/profiles/cis-1-7.profile
@@ -5,6 +5,8 @@ title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark'
 
 platform: ocp4
 
+status: deprecated
+
 metadata:
     SMEs:
         - rhmdnd
diff --git a/products/ocp4/profiles/cis-1-9.profile b/products/ocp4/profiles/cis-1-9.profile
new file mode 100644
index 000000000000..ed5bce1fa529
--- /dev/null
+++ b/products/ocp4/profiles/cis-1-9.profile
@@ -0,0 +1,37 @@
+---
+documentation_complete: true
+
+title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark'
+
+platform: ocp4
+
+metadata:
+    SMEs:
+        - rhmdnd
+        - Vincent056
+        - yuumasato
+    version: 1.9.0
+
+description: |-
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0.
+
+    This profile includes Center for Internet Security®
+    Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.
+
+    Note that this part of the profile is meant to run on the Platform that
+    Red Hat OpenShift Container Platform 4 runs on top of.
+
+    This profile is applicable to OpenShift versions 4.12 and greater.
+
+filter_rules: '"ocp4-node" not in platform and "ocp4-master-node" not in platform and "ocp4-node-on-sdn"
+    not in platform and "ocp4-node-on-ovn" not in platform'
+
+selections:
+    - cis_ocp:all
+    ### Variables
+    - var_openshift_audit_profile=WriteRequestBodies
+    ### Helper Rules
+    ### This is a helper rule to fetch the required api resource for detecting OCP version
+    - version_detect_in_ocp
+    - version_detect_in_hypershift
diff --git a/products/ocp4/profiles/cis-node-1-7.profile b/products/ocp4/profiles/cis-node-1-7.profile
index bba8260fec3b..3e7a89d6bae4 100644
--- a/products/ocp4/profiles/cis-node-1-7.profile
+++ b/products/ocp4/profiles/cis-node-1-7.profile
@@ -5,6 +5,8 @@ title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark'
 
 platform: ocp4-node
 
+status: deprecated
+
 metadata:
     SMEs:
         - rhmdnd
diff --git a/products/ocp4/profiles/cis-node-1-9.profile b/products/ocp4/profiles/cis-node-1-9.profile
new file mode 100644
index 000000000000..4472019bc79b
--- /dev/null
+++ b/products/ocp4/profiles/cis-node-1-9.profile
@@ -0,0 +1,31 @@
+---
+documentation_complete: true
+
+title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark'
+
+platform: ocp4-node
+
+metadata:
+    SMEs:
+        - rhmdnd
+        - Vincent056
+        - yuumasato
+    version: 1.9.0
+
+description: |-
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0.
+
+    This profile includes Center for Internet Security®
+    Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.
+
+    Note that this part of the profile is meant to run on the Operating System that
+    Red Hat OpenShift Container Platform 4 runs on top of.
+
+    This profile is applicable to OpenShift versions 4.12 and greater.
+
+filter_rules: '"ocp4-node" in platform or "ocp4-master-node" in platform or "ocp4-node-on-sdn" in platform
+    or "ocp4-node-on-ovn" in platform'
+
+selections:
+    - cis_ocp:all
diff --git a/products/ocp4/profiles/cis-node.profile b/products/ocp4/profiles/cis-node.profile
index bd1ce3bfce8a..90d8cf879591 100644
--- a/products/ocp4/profiles/cis-node.profile
+++ b/products/ocp4/profiles/cis-node.profile
@@ -10,11 +10,11 @@ metadata:
         - rhmdnd
         - Vincent056
         - yuumasato
-    version: 1.7.0
+    version: 1.9.0
 
 description: |-
     This profile defines a baseline that aligns to the Center for Internet Security®
-    Red Hat OpenShift Container Platform 4 Benchmark™, V1.7.
+    Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0.
 
     This profile includes Center for Internet Security®
     Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.
@@ -24,4 +24,4 @@ description: |-
 
     This profile is applicable to OpenShift versions 4.12 and greater.
 
-extends: cis-node-1-7
+extends: cis-node-1-9
diff --git a/products/ocp4/profiles/cis.profile b/products/ocp4/profiles/cis.profile
index e46d12ad28c1..f63649d5437f 100644
--- a/products/ocp4/profiles/cis.profile
+++ b/products/ocp4/profiles/cis.profile
@@ -10,11 +10,11 @@ metadata:
         - rhmdnd
         - Vincent056
         - yuumasato
-    version: 1.7.0
+    version: 1.9.0
 
 description: |-
     This profile defines a baseline that aligns to the Center for Internet Security®
-    Red Hat OpenShift Container Platform 4 Benchmark™, V1.7.
+    Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0.
 
     This profile includes Center for Internet Security®
     Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.
@@ -24,4 +24,4 @@ description: |-
 
     This profile is applicable to OpenShift versions 4.12 and greater.
 
-extends: cis-1-7
+extends: cis-1-9

From dcdb5088a7bcb447e227c0c21ea6c60eebe51c1d Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:22:41 -0600
Subject: [PATCH 147/265] Add CIS OpenShift 1.9.0 profile and controls

CIS 1.9.0 benchmark has some minor differences from 1.7.0. Let's add
some separate control files for 1.9.0 so we can make those changes
without affecting 1.7.0.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190.yml                    | 11 +++++++++++
 products/ocp4/profiles/cis-1-9.profile      |  2 +-
 products/ocp4/profiles/cis-node-1-9.profile |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 controls/cis_ocp_190.yml

diff --git a/controls/cis_ocp_190.yml b/controls/cis_ocp_190.yml
new file mode 100644
index 000000000000..67106b1b5a9e
--- /dev/null
+++ b/controls/cis_ocp_190.yml
@@ -0,0 +1,11 @@
+---
+policy: CIS Red Hat OpenShift Container Platform 4 Benchmark
+title: CIS Red Hat OpenShift Container Platform 4 Benchmark
+id: cis_ocp_190
+source: https://www.cisecurity.org/benchmark/kubernetes
+
+levels:
+    - id: level_1
+    - id: level_2
+      inherits_from:
+          - level_1
diff --git a/products/ocp4/profiles/cis-1-9.profile b/products/ocp4/profiles/cis-1-9.profile
index ed5bce1fa529..21109f3e7a1a 100644
--- a/products/ocp4/profiles/cis-1-9.profile
+++ b/products/ocp4/profiles/cis-1-9.profile
@@ -28,7 +28,7 @@ filter_rules: '"ocp4-node" not in platform and "ocp4-master-node" not in platfor
     not in platform and "ocp4-node-on-ovn" not in platform'
 
 selections:
-    - cis_ocp:all
+    - cis_ocp_190:all
     ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
     ### Helper Rules
diff --git a/products/ocp4/profiles/cis-node-1-9.profile b/products/ocp4/profiles/cis-node-1-9.profile
index 4472019bc79b..27ded73fe163 100644
--- a/products/ocp4/profiles/cis-node-1-9.profile
+++ b/products/ocp4/profiles/cis-node-1-9.profile
@@ -28,4 +28,4 @@ filter_rules: '"ocp4-node" in platform or "ocp4-master-node" in platform or "ocp
     or "ocp4-node-on-ovn" in platform'
 
 selections:
-    - cis_ocp:all
+    - cis_ocp_190:all

From 9644ce95648f2ced5f4b1395bcd7316d1813d1d4 Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:24:18 -0600
Subject: [PATCH 148/265] Implement CIS OpenShift v1.9.0 section 1

Section 1 remains largely the same as version 1.7.0, with minor
differences:

- 1.1.12 had a wording change in the title
- 1.2.2 and 1.2.3 were removed in version 1.9.0 causing the control IDs
  to shift
- 1.3.5 was removed in version 1.9.0

This commit accounts for those removals and indexing changes.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190/section-1.yml | 506 +++++++++++++++++++++++++++++
 1 file changed, 506 insertions(+)
 create mode 100644 controls/cis_ocp_190/section-1.yml

diff --git a/controls/cis_ocp_190/section-1.yml b/controls/cis_ocp_190/section-1.yml
new file mode 100644
index 000000000000..62fadd96bc76
--- /dev/null
+++ b/controls/cis_ocp_190/section-1.yml
@@ -0,0 +1,506 @@
+---
+controls:
+    - id: '1'
+      title: Control Plane Components
+      status: pending
+      rules: []
+      controls:
+          - id: '1.1'
+            title: Master Node Configuration Files
+            status: automated
+            rules: []
+            controls:
+                - id: 1.1.1
+                  title: Ensure that the API server pod specification file permissions are set to 600
+                      or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_kube_apiserver
+                  levels:
+                      - level_1
+                - id: 1.1.2
+                  title: Ensure that the API server pod specification file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_kube_apiserver
+                      - file_groupowner_kube_apiserver
+                  levels:
+                      - level_1
+                - id: 1.1.3
+                  title: Ensure that the controller manager pod specification file permissions are set
+                      to 600 or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_kube_controller_manager
+                  levels:
+                      - level_1
+                - id: 1.1.4
+                  title: Ensure that the controller manager pod specification file ownership is set to
+                      root:root
+                  status: automated
+                  rules:
+                      - file_owner_kube_controller_manager
+                      - file_groupowner_kube_controller_manager
+                  levels:
+                      - level_1
+                - id: 1.1.5
+                  title: Ensure that the scheduler pod specification file permissions are set to 600
+                      or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_scheduler
+                  levels:
+                      - level_1
+                - id: 1.1.6
+                  title: Ensure that the scheduler pod specification file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_kube_scheduler
+                      - file_groupowner_kube_scheduler
+                  levels:
+                      - level_1
+                - id: 1.1.7
+                  title: Ensure that the etcd pod specification file permissions are set to 600 or more
+                      restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_etcd_member
+                  levels:
+                      - level_1
+                - id: 1.1.8
+                  title: Ensure that the etcd pod specification file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_groupowner_etcd_member
+                      - file_owner_etcd_member
+                  levels:
+                      - level_1
+                - id: 1.1.9
+                  title: Ensure that the Container Network Interface file permissions are set to 600
+                      or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_cni_conf
+                      - file_permissions_multus_conf
+                      - file_permissions_ip_allocations
+                      - file_perms_openshift_sdn_cniserver_config
+                      - file_permissions_ovs_pid
+                      - file_permissions_ovs_conf_db
+                      - file_permissions_ovs_sys_id_conf
+                      - file_permissions_ovs_conf_db_lock
+                      - file_permissions_ovs_vswitchd_pid
+                      - file_permissions_ovsdb_server_pid
+                      - file_permissions_ovn_cni_server_sock
+                      - file_permissions_ovn_db_files
+                  levels:
+                      - level_1
+                - id: 1.1.10
+                  title: Ensure that the Container Network Interface file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_cni_conf
+                      - file_groupowner_cni_conf
+                      - file_owner_multus_conf
+                      - file_groupowner_multus_conf
+                      - file_owner_ip_allocations
+                      - file_groupowner_ip_allocations
+                      - file_owner_openshift_sdn_cniserver_config
+                      - file_groupowner_openshift_sdn_cniserver_config
+                      - file_owner_ovs_pid
+                      - file_groupowner_ovs_pid
+                      - file_owner_ovs_conf_db
+                      - file_groupowner_ovs_conf_db_openvswitch
+                      - file_groupowner_ovs_conf_db_hugetlbfs
+                      - file_owner_ovs_sys_id_conf
+                      - file_groupowner_ovs_sys_id_conf_openvswitch
+                      - file_groupowner_ovs_sys_id_conf_hugetlbfs
+                      - file_owner_ovs_conf_db_lock
+                      - file_groupowner_ovs_conf_db_lock_openvswitch
+                      - file_groupowner_ovs_conf_db_lock_hugetlbfs
+                      - file_owner_ovs_vswitchd_pid
+                      - file_groupowner_ovs_vswitchd_pid
+                      - file_owner_ovsdb_server_pid
+                      - file_groupowner_ovsdb_server_pid
+                      - file_groupowner_ovn_cni_server_sock
+                      - file_owner_ovn_cni_server_sock
+                      - file_owner_ovn_db_files
+                      - file_groupowner_ovn_db_files
+                  levels:
+                      - level_1
+                - id: 1.1.11
+                  title: Ensure that the etcd data directory permissions are set to 700 or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_etcd_data_dir
+                      - file_permissions_etcd_data_files
+                  levels:
+                      - level_1
+                - id: 1.1.12
+                  title: Ensure that the etcd data directory ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_etcd_data_dir
+                      - file_groupowner_etcd_data_dir
+                      - file_owner_etcd_data_files
+                      - file_groupowner_etcd_data_files
+                  levels:
+                      - level_1
+                - id: 1.1.13
+                  title: Ensure that the kubeconfig file permissions are set to 600 or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_master_admin_kubeconfigs
+                  levels:
+                      - level_1
+                - id: 1.1.14
+                  title: Ensure that the kubeconfig file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_master_admin_kubeconfigs
+                      - file_groupowner_master_admin_kubeconfigs
+                  levels:
+                      - level_1
+                - id: 1.1.15
+                  title: Ensure that the Scheduler kubeconfig file permissions are set to 600 or more
+                      restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_scheduler_kubeconfig
+                  levels:
+                      - level_1
+                - id: 1.1.16
+                  title: Ensure that the Scheduler kubeconfig file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_scheduler_kubeconfig
+                      - file_groupowner_scheduler_kubeconfig
+                  levels:
+                      - level_1
+                - id: 1.1.17
+                  title: Ensure that the Controller Manager kubeconfig file permissions are set to 600
+                      or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_controller_manager_kubeconfig
+                  levels:
+                      - level_1
+                - id: 1.1.18
+                  title: Ensure that the Controller Manager kubeconfig file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_controller_manager_kubeconfig
+                      - file_groupowner_controller_manager_kubeconfig
+                  levels:
+                      - level_1
+                - id: 1.1.19
+                  title: Ensure that the OpenShift PKI directory and file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_openshift_pki_key_files
+                      - file_groupowner_openshift_pki_key_files
+                      - file_owner_openshift_pki_cert_files
+                      - file_groupowner_openshift_pki_cert_files
+                      - file_owner_etcd_pki_cert_files
+                      - file_groupowner_etcd_pki_cert_files
+                  levels:
+                      - level_1
+                - id: 1.1.20
+                  title: Ensure that the OpenShift PKI certificate file permissions are set to 600 or
+                      more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_openshift_pki_cert_files
+                      - file_permissions_etcd_pki_cert_files
+                  levels:
+                      - level_1
+                - id: 1.1.21
+                  title: Ensure that the OpenShift PKI key file permissions are set to 600
+                  status: automated
+                  rules:
+                      - file_permissions_openshift_pki_key_files
+                  levels:
+                      - level_1
+          - id: '1.2'
+            title: API Server
+            status: pending
+            rules: []
+            controls:
+                - id: 1.2.1
+                  title: Ensure that anonymous requests are authorized
+                  status: automated
+                  rules:
+                      - api_server_anonymous_auth
+                  levels:
+                      - level_1
+                - id: 1.2.2
+                  title: Use https for kubelet connections
+                  status: automated
+                  rules:
+                      - api_server_https_for_kubelet_conn
+                      - api_server_openshift_https_serving_cert
+                      - api_server_oauth_https_serving_cert
+                  levels:
+                      - level_1
+                - id: 1.2.3
+                  title: Ensure that the kubelet uses certificates to authenticate
+                  status: automated
+                  rules:
+                      - api_server_kubelet_client_cert
+                      - api_server_kubelet_client_key
+                  levels:
+                      - level_1
+                - id: 1.2.4
+                  title: Verify that the kubelet certificate authority is set as appropriate
+                  status: automated
+                  rules:
+                      - api_server_kubelet_certificate_authority
+                  levels:
+                      - level_1
+                - id: 1.2.5
+                  title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
+                  status: automated
+                  rules:
+                      - api_server_auth_mode_no_aa
+                  levels:
+                      - level_1
+                - id: 1.2.6
+                  title: Verify that RBAC is enabled
+                  status: automated
+                  rules:
+                      - api_server_auth_mode_rbac
+                  levels:
+                      - level_1
+                - id: 1.2.7
+                  title: Ensure that the APIPriorityAndFairness feature gate is enabled
+                  status: inherently met
+                  rules: []
+                  levels:
+                      - level_1
+                - id: 1.2.8
+                  title: Ensure that the admission control plugin AlwaysAdmit is not set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_alwaysadmit
+                  levels:
+                      - level_1
+                - id: 1.2.9
+                  title: Ensure that the admission control plugin AlwaysPullImages is not set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_alwayspullimages
+                  levels:
+                      - level_1
+                - id: 1.2.10
+                  title: Ensure that the admission control plugin ServiceAccount is set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_service_account
+                  levels:
+                      - level_1
+                - id: 1.2.11
+                  title: Ensure that the admission control plugin NamespaceLifecycle is set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_namespacelifecycle
+                  levels:
+                      - level_1
+                - id: 1.2.12
+                  title: Ensure that the admission control plugin SecurityContextConstraint is set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_scc
+                  levels:
+                      - level_1
+                - id: 1.2.13
+                  title: Ensure that the admission control plugin NodeRestriction is set
+                  status: automated
+                  rules:
+                      - api_server_admission_control_plugin_noderestriction
+                  levels:
+                      - level_1
+                - id: 1.2.14
+                  title: Ensure that the --insecure-bind-address argument is not set
+                  status: automated
+                  rules:
+                      - api_server_insecure_bind_address
+                  levels:
+                      - level_1
+                - id: 1.2.15
+                  title: Ensure that the --insecure-port argument is set to 0
+                  status: inherently met
+                  rules: []
+                  levels:
+                      - level_1
+                - id: 1.2.16
+                  title: Ensure that the --secure-port argument is not set to 0
+                  status: automated
+                  rules:
+                      - api_server_bind_address
+                  levels:
+                      - level_1
+                - id: 1.2.17
+                  title: Ensure that the healthz endpoint is protected by RBAC
+                  status: automated
+                  rules:
+                      - api_server_profiling_protected_by_rbac
+                  levels:
+                      - level_1
+                - id: 1.2.18
+                  title: Ensure that the --audit-log-path argument is set
+                  status: automated
+                  rules:
+                      - api_server_audit_log_path
+                      - openshift_api_server_audit_log_path
+                  levels:
+                      - level_1
+                - id: 1.2.19
+                  title: Ensure that the audit logs are forwarded off the cluster for retention
+                  status: automated
+                  rules:
+                      - audit_log_forwarding_enabled
+                      - audit_log_forwarding_webhook
+                  levels:
+                      - level_1
+                - id: 1.2.20
+                  title: Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate
+                  status: automated
+                  rules:
+                      - api_server_audit_log_maxbackup
+                      - ocp_api_server_audit_log_maxbackup
+                  levels:
+                      - level_1
+                - id: 1.2.21
+                  title: Configure Kubernetes API Server Maximum Audit Log Size
+                  status: automated
+                  rules:
+                      - api_server_audit_log_maxsize
+                      - ocp_api_server_audit_log_maxsize
+                  levels:
+                      - level_1
+                - id: 1.2.22
+                  title: Ensure that the --request-timeout argument is set
+                  status: automated
+                  rules:
+                      - api_server_request_timeout
+                  levels:
+                      - level_1
+                - id: 1.2.23
+                  title: Ensure that the --service-account-lookup argument is set to true
+                  status: automated
+                  rules:
+                      - api_server_service_account_lookup
+                  levels:
+                      - level_1
+                - id: 1.2.24
+                  title: Ensure that the --service-account-key-file argument is set as appropriate
+                  status: automated
+                  rules:
+                      - api_server_service_account_public_key
+                  levels:
+                      - level_1
+                - id: 1.2.25
+                  title: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
+                  status: automated
+                  rules:
+                      - api_server_etcd_cert
+                      - api_server_etcd_key
+                  levels:
+                      - level_1
+                - id: 1.2.26
+                  title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
+                      as appropriate
+                  status: automated
+                  rules:
+                      - api_server_tls_cert
+                      - api_server_tls_private_key
+                  levels:
+                      - level_1
+                - id: 1.2.27
+                  title: Ensure that the --client-ca-file argument is set as appropriate
+                  status: automated
+                  rules:
+                      - api_server_client_ca
+                  levels:
+                      - level_1
+                - id: 1.2.28
+                  title: Ensure that the --etcd-cafile argument is set as appropriate
+                  status: automated
+                  rules:
+                      - api_server_etcd_ca
+                  levels:
+                      - level_1
+                - id: 1.2.29
+                  title: Ensure that encryption providers are appropriately configured
+                  status: automated
+                  rules:
+                      - api_server_encryption_provider_cipher
+                  levels:
+                      - level_1
+                - id: 1.2.30
+                  title: Ensure that the API Server only makes use of Strong Cryptographic Ciphers
+                  status: automated
+                  rules:
+                      - api_server_tls_security_profile_not_old
+                      - api_server_tls_security_profile_custom_min_tls_version
+                  levels:
+                      - level_1
+                - id: 1.2.31
+                  title: Ensure unsupported configuration overrides are not used
+                  status: pending
+                  rules:
+                      - api_server_no_unsupported_config_overrides
+                      - api_server_kube_no_unsupported_config_overrides
+                  levels:
+                      - level_1
+          - id: '1.3'
+            title: Controller Manager
+            status: pending
+            rules: []
+            controls:
+                - id: 1.3.1
+                  title: Ensure that controller manager healthz endpoints are protected by RBAC
+                  status: automated
+                  rules:
+                      - rbac_debug_role_protects_pprof
+                  levels:
+                      - level_1
+                - id: 1.3.2
+                  title: Ensure that the --use-service-account-credentials argument is set to true
+                  status: automated
+                  rules:
+                      - controller_use_service_account
+                  levels:
+                      - level_1
+                - id: 1.3.3
+                  title: Ensure that the --service-account-private-key-file argument is set as appropriate
+                  status: automated
+                  rules:
+                      - controller_service_account_private_key
+                  levels:
+                      - level_1
+                - id: 1.3.4
+                  title: Ensure that the --root-ca-file argument is set as appropriate
+                  status: automated
+                  rules:
+                      - controller_service_account_ca
+                  levels:
+                      - level_1
+          - id: '1.4'
+            title: Scheduler
+            status: automated
+            rules: []
+            controls:
+                - id: 1.4.1
+                  title: Ensure that the healthz endpoints for the scheduler are protected by RBAC
+                  status: automated
+                  rules:
+                      - scheduler_profiling_protected_by_rbac
+                  levels:
+                      - level_1
+                - id: 1.4.2
+                  title: Verify that the scheduler API service is protected by RBAC
+                  status: automated
+                  rules:
+                      - scheduler_service_protected_by_rbac
+                  levels:
+                      - level_1

From f28703a749211c3f36cd3ac68bcbadb4e51ddb4e Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:26:52 -0600
Subject: [PATCH 149/265] Add CIS OpenShift v1.9.0 section 2

This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190/section-2.yml | 58 ++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 controls/cis_ocp_190/section-2.yml

diff --git a/controls/cis_ocp_190/section-2.yml b/controls/cis_ocp_190/section-2.yml
new file mode 100644
index 000000000000..d42cc9d46111
--- /dev/null
+++ b/controls/cis_ocp_190/section-2.yml
@@ -0,0 +1,58 @@
+---
+controls:
+    - id: '2'
+      title: etcd
+      status: pending
+      rules: []
+      controls:
+          - id: '2.1'
+            title: Ensure that the --cert-file and --key-file arguments are set as appropriate
+            status: automated
+            rules:
+                - etcd_cert_file
+                - etcd_key_file
+            levels:
+                - level_1
+          - id: '2.2'
+            title: Ensure that the --client-cert-auth argument is set to true
+            status: automated
+            rules:
+                - etcd_client_cert_auth
+            levels:
+                - level_1
+          - id: '2.3'
+            title: Ensure that the --auto-tls argument is not set to true
+            status: automated
+            rules:
+                - etcd_auto_tls
+            levels:
+                - level_1
+          - id: '2.4'
+            title: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
+            status: automated
+            rules:
+                - etcd_peer_cert_file
+                - etcd_peer_key_file
+            levels:
+                - level_1
+          - id: '2.5'
+            title: Ensure that the --peer-client-cert-auth argument is set to true
+            status: automated
+            rules:
+                - etcd_peer_client_cert_auth
+            levels:
+                - level_1
+          - id: '2.6'
+            title: Ensure that the --peer-auto-tls argument is not set to true
+            status: automated
+            rules:
+                - etcd_peer_auto_tls
+            levels:
+                - level_1
+          - id: '2.7'
+            title: Ensure that a unique Certificate Authority is used for etcd
+            status: automated
+            rules:
+                - etcd_unique_ca
+            levels:
+                - level_2

From 3fe752105f95b2a763d92e5e1eeab6d885abfcfb Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:27:31 -0600
Subject: [PATCH 150/265] Implement CIS OpenShift v1.9.0 section 3

This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190/section-3.yml | 39 ++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 controls/cis_ocp_190/section-3.yml

diff --git a/controls/cis_ocp_190/section-3.yml b/controls/cis_ocp_190/section-3.yml
new file mode 100644
index 000000000000..3c5dbdc4c0e5
--- /dev/null
+++ b/controls/cis_ocp_190/section-3.yml
@@ -0,0 +1,39 @@
+---
+controls:
+    - id: '3'
+      title: Control Plane Configuration
+      status: pending
+      rules: []
+      controls:
+          - id: '3.1'
+            title: Authentication and Authorization
+            status: automated
+            rules: []
+            controls:
+                - id: 3.1.1
+                  title: Client certificate authentication should not be used for users
+                  status: automated
+                  rules:
+                      - idp_is_configured
+                      - kubeadmin_removed
+                  levels:
+                      - level_2
+          - id: '3.2'
+            title: Logging
+            status: automated
+            rules: []
+            controls:
+                - id: 3.2.1
+                  title: Ensure that a minimal audit policy is created
+                  status: automated
+                  rules:
+                      - audit_logging_enabled
+                  levels:
+                      - level_1
+                - id: 3.2.2
+                  title: Ensure that the audit policy covers key security concerns
+                  status: automated
+                  rules:
+                      - audit_profile_set
+                  levels:
+                      - level_2

From 3349405f6349f0981ed4c2bbb53dc0832e7cf76e Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:28:19 -0600
Subject: [PATCH 151/265] Implement CIS OpenShift v1.9.0 section 4

This section is largely the same as version 1.7.0 with one minor
wording change to control 4.2.8, otherwise the technical controls are
the same.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190/section-4.yml | 191 +++++++++++++++++++++++++++++
 1 file changed, 191 insertions(+)
 create mode 100644 controls/cis_ocp_190/section-4.yml

diff --git a/controls/cis_ocp_190/section-4.yml b/controls/cis_ocp_190/section-4.yml
new file mode 100644
index 000000000000..4343034dbc67
--- /dev/null
+++ b/controls/cis_ocp_190/section-4.yml
@@ -0,0 +1,191 @@
+---
+controls:
+    - id: '4'
+      title: Worker Nodes
+      status: pending
+      rules: []
+      controls:
+          - id: '4.1'
+            title: Worker Node Configuration Files
+            status: pending
+            rules: []
+            controls:
+                - id: 4.1.1
+                  title: Ensure that the kubelet service file permissions are set to 644 or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_worker_service
+                  levels:
+                      - level_1
+                - id: 4.1.2
+                  title: Ensure that the kubelet service file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_worker_service
+                      - file_groupowner_worker_service
+                  levels:
+                      - level_1
+                - id: 4.1.3
+                  title: If proxy kube proxy configuration file exists ensure permissions are set to
+                      644 or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_proxy_kubeconfig
+                  levels:
+                      - level_1
+                - id: 4.1.4
+                  title: If proxy kubeconfig file exists ensure ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_proxy_kubeconfig
+                      - file_groupowner_proxy_kubeconfig
+                  levels:
+                      - level_1
+                - id: 4.1.5
+                  title: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or
+                      more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_kubelet_conf
+                  levels:
+                      - level_1
+                - id: 4.1.6
+                  title: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_groupowner_kubelet_conf
+                      - file_owner_kubelet_conf
+        #- file_groupowner_kubelet
+                      - file_owner_kubelet
+                  levels:
+                      - level_1
+                - id: 4.1.7
+                  title: Ensure that the certificate authorities file permissions are set to 644 or more
+                      restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_worker_ca
+                  levels:
+                      - level_1
+                - id: 4.1.8
+                  title: Ensure that the client certificate authorities file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_worker_ca
+                      - file_groupowner_worker_ca
+                  levels:
+                      - level_1
+                - id: 4.1.9
+                  title: Ensure that the kubelet --config configuration file has permissions set to 600
+                      or more restrictive
+                  status: automated
+                  rules:
+                      - file_permissions_worker_kubeconfig
+                  levels:
+                      - level_1
+                - id: 4.1.10
+                  title: Ensure that the kubelet configuration file ownership is set to root:root
+                  status: automated
+                  rules:
+                      - file_owner_worker_kubeconfig
+                      - file_groupowner_worker_kubeconfig
+                  levels:
+                      - level_1
+          - id: '4.2'
+            title: Kubelet
+            status: pending
+            rules: []
+            controls:
+                - id: 4.2.1
+                  title: Activate Garbage collection in OpenShift Container Platform 4, as appropriate
+                  status: automated
+                  rules:
+                      - kubelet_eviction_thresholds_set_hard_memory_available
+                      - kubelet_eviction_thresholds_set_hard_nodefs_available
+                      - kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
+                      - kubelet_eviction_thresholds_set_hard_imagefs_available
+                  levels:
+                      - level_1
+                - id: 4.2.2
+                  title: Ensure that the --anonymous-auth argument is set to false
+                  status: automated
+                  rules:
+                      - kubelet_anonymous_auth
+                  levels:
+                      - level_1
+                - id: 4.2.3
+                  title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
+                  status: automated
+                  rules:
+                      - kubelet_authorization_mode
+                  levels:
+                      - level_1
+                - id: 4.2.4
+                  title: Ensure that the --client-ca-file argument is set as appropriate
+                  status: automated
+                  rules:
+                      - kubelet_configure_client_ca
+                  levels:
+                      - level_1
+                - id: 4.2.5
+                  title: Verify that the read only port is not used or is set to 0
+                  status: automated
+                  rules:
+                      - kubelet_disable_readonly_port
+                  levels:
+                      - level_1
+                - id: 4.2.6
+                  title: Ensure that the --streaming-connection-idle-timeout argument is not set to 0
+                  status: automated
+                  rules:
+                      - kubelet_enable_streaming_connections
+                  levels:
+                      - level_1
+                - id: 4.2.7
+                  title: Ensure that the --make-iptables-util-chains argument is set to true
+                  status: automated
+                  rules:
+                      - kubelet_enable_iptables_util_chains
+                  levels:
+                      - level_1
+                - id: 4.2.8
+                  title: Ensure that the kubeAPIQPS [--event-qps] argument is set to a level which
+                      ensures appropriate event capture
+                  status: automated
+                  rules:
+                      - kubelet_configure_event_creation
+                      - var_event_record_qps=50
+                  levels:
+                      - level_2
+                - id: 4.2.9
+                  title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
+                      as appropriate
+                  status: automated
+                  rules:
+                      - kubelet_configure_tls_cert
+                      - kubelet_configure_tls_key
+                  levels:
+                      - level_1
+                - id: 4.2.10
+                  title: Ensure that the --rotate-certificates argument is not set to false
+                  status: automated
+                  rules:
+                      - kubelet_enable_client_cert_rotation
+                      - kubelet_enable_cert_rotation
+                  levels:
+                      - level_1
+                - id: 4.2.11
+                  title: Verify that the RotateKubeletServerCertificate argument is set to true
+                  status: automated
+                  rules:
+                      - kubelet_enable_server_cert_rotation
+                  levels:
+                      - level_1
+                - id: 4.2.12
+                  title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
+                  status: automated
+                  rules:
+                      - kubelet_configure_tls_cipher_suites
+                      - ingress_controller_tls_cipher_suites
+                  levels:
+                      - level_1

From 9be6c7cc5537387189a4af8bc2da34e7552a4add Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 13:29:23 -0600
Subject: [PATCH 152/265] Implement CIS OpenShift v1.9.0 section 5

This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
---
 controls/cis_ocp_190/section-5.yml | 216 +++++++++++++++++++++++++++++
 1 file changed, 216 insertions(+)
 create mode 100644 controls/cis_ocp_190/section-5.yml

diff --git a/controls/cis_ocp_190/section-5.yml b/controls/cis_ocp_190/section-5.yml
new file mode 100644
index 000000000000..2e8312954f91
--- /dev/null
+++ b/controls/cis_ocp_190/section-5.yml
@@ -0,0 +1,216 @@
+---
+controls:
+    - id: '5'
+      title: Policies
+      status: partial
+      rules: []
+      controls:
+          - id: '5.1'
+            title: RBAC and Service Accounts
+            status: manual
+            rules: []
+            controls:
+                - id: 5.1.1
+                  title: Ensure that the cluster-admin role is only used where required
+                  status: manual
+                  rules:
+                      - rbac_limit_cluster_admin
+                  levels:
+                      - level_1
+                - id: 5.1.2
+                  title: Minimize access to secrets
+                  status: manual
+                  rules:
+                      - rbac_limit_secrets_access
+                  levels:
+                      - level_1
+                - id: 5.1.3
+                  title: Minimize wildcard use in Roles and ClusterRoles
+                  status: manual
+                  rules:
+                      - rbac_wildcard_use
+                  levels:
+                      - level_1
+                - id: 5.1.4
+                  title: Minimize access to create pods
+                  status: manual
+                  rules:
+                      - rbac_pod_creation_access
+                  levels:
+                      - level_1
+                - id: 5.1.5
+                  title: Ensure that default service accounts are not actively used.
+                  status: manual
+                  rules:
+                      - accounts_unique_service_account
+                  levels:
+                      - level_1
+                - id: 5.1.6
+                  title: Ensure that Service Account Tokens are only mounted where necessary
+                  status: manual
+                  rules:
+                      - accounts_restrict_service_account_tokens
+                  levels:
+                      - level_1
+          - id: '5.2'
+            title: Security Context Constraints
+            status: partial
+            rules: []
+            controls:
+                - id: 5.2.1
+                  title: Minimize the admission of privileged containers
+                  status: manual
+                  rules:
+                      - scc_limit_privileged_containers
+                  levels:
+                      - level_1
+                - id: 5.2.2
+                  title: Minimize the admission of containers wishing to share the host process ID namespace
+                  status: manual
+                  rules:
+                      - scc_limit_process_id_namespace
+                  levels:
+                      - level_1
+                - id: 5.2.3
+                  title: Minimize the admission of containers wishing to share the host IPC namespace
+                  status: manual
+                  rules:
+                      - scc_limit_ipc_namespace
+                  levels:
+                      - level_1
+                - id: 5.2.4
+                  title: Minimize the admission of containers wishing to share the host network namespace
+                  status: manual
+                  rules:
+                      - scc_limit_network_namespace
+                  levels:
+                      - level_1
+                - id: 5.2.5
+                  title: Minimize the admission of containers with allowPrivilegeEscalation
+                  status: manual
+                  rules:
+                      - scc_limit_privilege_escalation
+                  levels:
+                      - level_1
+                - id: 5.2.6
+                  title: Minimize the admission of root containers
+                  status: manual
+                  rules:
+                      - scc_limit_root_containers
+                  levels:
+                      - level_2
+                - id: 5.2.7
+                  title: Minimize the admission of containers with the NET_RAW capability
+                  status: manual
+                  rules:
+                      - scc_limit_net_raw_capability
+                  levels:
+                      - level_1
+                - id: 5.2.8
+                  title: Minimize the admission of containers with added capabilities
+                  status: automated
+                  rules:
+                      - scc_limit_container_allowed_capabilities
+                  levels:
+                      - level_1
+                - id: 5.2.9
+                  title: Minimize the admission of containers with capabilities assigned
+                  status: manual
+                  rules:
+                      - scc_drop_container_capabilities
+                  levels:
+                      - level_2
+                - id: 5.2.10
+                  title: Minimize access to privileged Security Context Constraints
+                  status: manual
+                  rules:
+                      - rbac_least_privilege
+                  levels:
+                      - level_2
+          - id: '5.3'
+            title: Network Policies and CNI
+            status: partial
+            rules: []
+            controls:
+                - id: 5.3.1
+                  title: Ensure that the CNI in use supports Network Policies
+                  status: automated
+                  rules:
+                      - configure_network_policies
+                  levels:
+                      - level_1
+                - id: 5.3.2
+                  title: Ensure that all Namespaces have Network Policies defined
+                  status: partial
+                  rules:
+                      - configure_network_policies_namespaces
+                      - configure_network_policies_hypershift_hosted
+                  levels:
+                      - level_2
+          - id: '5.4'
+            title: Secrets Management
+            status: manual
+            rules: []
+            controls:
+                - id: 5.4.1
+                  title: Prefer using secrets as files over secrets as environment variables
+                  status: manual
+                  rules:
+                      - secrets_no_environment_variables
+                  levels:
+                      - level_1
+                - id: 5.4.2
+                  title: Consider external secret storage
+                  status: manual
+                  rules:
+                      - secrets_consider_external_storage
+                  levels:
+                      - level_2
+          - id: '5.5'
+            title: Extensible Admission Control
+            status: automated
+            rules: []
+            controls:
+                - id: 5.5.1
+                  title: Configure Image Provenance using image controller configuration parameters
+                  status: automated
+                  rules:
+                      - ocp_allowed_registries
+                      - ocp_allowed_registries_for_import
+                      - ocp_insecure_registries
+                      - ocp_insecure_allowed_registries_for_import
+                  levels:
+                      - level_2
+          - id: '5.7'
+            title: General Policies
+            status: manual
+            rules: []
+            controls:
+                - id: 5.7.1
+                  title: Create administrative boundaries between resources using namespaces
+                  status: manual
+                  rules:
+                      - general_namespaces_in_use
+                  levels:
+                      - level_1
+                - id: 5.7.2
+                  title: Ensure that the seccomp profile is set to docker/default in your pod definitions
+                  status: manual
+                  rules:
+                      - general_default_seccomp_profile
+                  levels:
+                      - level_2
+                - id: 5.7.3
+                  title: Apply Security Context to Your Pods and Containers
+                  status: manual
+                  rules:
+                      - general_apply_scc
+                  levels:
+                      - level_2
+                - id: 5.7.4
+                  title: The default namespace should not be used
+                  status: manual
+                  rules:
+                      - general_default_namespace_use
+                  levels:
+                      - level_2

From 329fef1f6483c808ca5864ac59db90adefa39a7f Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Thu, 12 Feb 2026 14:40:32 +0000
Subject: [PATCH 153/265] Enable net_admin to allow firewall rule tests to run

Signed-off-by: Alan Moore 
---
 tests/ssg_test_suite/test_env.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py
index 76214532500f..e35ddc4eb57c 100644
--- a/tests/ssg_test_suite/test_env.py
+++ b/tests/ssg_test_suite/test_env.py
@@ -534,6 +534,7 @@ def _new_container_from_image(self, image_name, container_name):
                       "--cap-add=cap_sys_chroot",
                     #   "--privileged",
                       "--network", "slirp4netns:mtu=1500",
+                      "--cap-add=cap_net_admin",
                       "--publish", "{}".format(self.internal_ssh_port), "--detach", image_name,
                       "/usr/sbin/sshd", "-p", "{}".format(self.internal_ssh_port), "-D"]
         try:

From 91af709768cf98dd6eff7d12e5cc3de5d786e29a Mon Sep 17 00:00:00 2001
From: Arden97 
Date: Mon, 16 Feb 2026 16:36:13 +0100
Subject: [PATCH 154/265] check for selinux state when remediating
 selinux_not_disabled

---
 .../selinux_not_disabled/ansible/shared.yml   | 32 ++++++++++++-------
 .../selinux_not_disabled/bash/shared.sh       | 14 ++++++--
 2 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
index 756897defedf..b5608120716b 100644
--- a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
@@ -4,19 +4,27 @@
 # complexity = low
 # disruption = low
 
-- name: "{{{ rule_title }}} - Check current SELinux state"
-  ansible.builtin.command:
-    cmd: getenforce
-  register: current_selinux_state
+- name: "{{{ rule_title }}} - Check current SELinux configuration"
+  ansible.builtin.slurp:
+    src: /etc/selinux/config
+  register: selinux_config_content
   check_mode: false
   changed_when: false
+  failed_when: false
 
-{{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) }}}
+- name: "{{{ rule_title }}} - Extract SELinux state from config"
+  ansible.builtin.set_fact:
+    selinux_config_state: "{{ selinux_config_content.content | b64decode | regex_search('^\\s*SELINUX=(enforcing|permissive|disabled)', '\\1', multiline=True) | default([]) | first | default('') }}"
+  when: selinux_config_content.content is defined
 
-- name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot"
-  ansible.builtin.file:
-    path: /.autorelabel
-    state: touch
-    access_time: preserve
-    modification_time: preserve
-  when: current_selinux_state.stdout | lower != "permissive"
+- name: "{{{ rule_title }}} - Set SELinux state to permissive if disabled or not configured"
+  block:
+    {{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) | indent(4) }}}
+
+    - name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot"
+      ansible.builtin.file:
+        path: /.autorelabel
+        state: touch
+        access_time: preserve
+        modification_time: preserve
+  when: selinux_config_state | default('') not in ['enforcing', 'permissive']
diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh b/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh
index 95b0795ea481..c5e6dd817545 100644
--- a/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh
@@ -4,6 +4,16 @@
 # complexity = low
 # disruption = low
 
-{{{ bash_selinux_config_set(parameter="SELINUX", value="permissive", rule_id=rule_id) }}}
+# Check current SELinux state in config file
+selinux_current_state=""
+if [ -f "/etc/selinux/config" ]; then
+    selinux_current_state=$(grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config || true)
+fi
 
-fixfiles onboot
+# Only remediate if SELinux is disabled or not configured
+# If already set to enforcing or permissive, it's compliant - preserve the current state
+if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then
+    # SELinux is disabled or not configured, set to permissive as a conservative approach
+    {{{ bash_selinux_config_set(parameter="SELINUX", value="permissive", rule_id=rule_id) }}}
+    fixfiles onboot
+fi

From b01f159ac2f017b9520a9da43024a0dcd6d99287 Mon Sep 17 00:00:00 2001
From: Arden97 
Date: Tue, 17 Feb 2026 00:15:51 +0100
Subject: [PATCH 155/265] refactor shared.yml for selinux_not_disabled

---
 .../selinux/selinux_not_disabled/ansible/shared.yml | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
index b5608120716b..b3a694a27ed0 100644
--- a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml
@@ -5,18 +5,13 @@
 # disruption = low
 
 - name: "{{{ rule_title }}} - Check current SELinux configuration"
-  ansible.builtin.slurp:
-    src: /etc/selinux/config
-  register: selinux_config_content
+  ansible.builtin.command:
+    cmd: grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config
+  register: selinux_config_state
   check_mode: false
   changed_when: false
   failed_when: false
 
-- name: "{{{ rule_title }}} - Extract SELinux state from config"
-  ansible.builtin.set_fact:
-    selinux_config_state: "{{ selinux_config_content.content | b64decode | regex_search('^\\s*SELINUX=(enforcing|permissive|disabled)', '\\1', multiline=True) | default([]) | first | default('') }}"
-  when: selinux_config_content.content is defined
-
 - name: "{{{ rule_title }}} - Set SELinux state to permissive if disabled or not configured"
   block:
     {{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) | indent(4) }}}
@@ -27,4 +22,4 @@
         state: touch
         access_time: preserve
         modification_time: preserve
-  when: selinux_config_state | default('') not in ['enforcing', 'permissive']
+  when: selinux_config_state.stdout not in ['enforcing', 'permissive']

From 22b05f2d88832c5eb115cf6070bcd3e864b8c9d4 Mon Sep 17 00:00:00 2001
From: Arden97 
Date: Fri, 20 Feb 2026 11:04:46 +0100
Subject: [PATCH 156/265] update rule.yml for selinux_not_disabled

---
 .../selinux/selinux_not_disabled/rule.yml     | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml
index e9648d4d2235..73fe9ca6df76 100644
--- a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml
@@ -9,7 +9,8 @@ description: |-
     
SELINUX=enforcing

     OR
     
SELINUX=permissive

-    Ensure that all files have correct SELinux labels by running:
+    If SELinux is currently disabled or not configured, ensure that all files have correct SELinux
+    labels by running:
     
fixfiles onboot

     Then reboot the system.
 
@@ -40,7 +41,11 @@ ocil: |-
 fixtext: |-
     Configure {{{ full_name }}} to enable SELinux.
 
-    Edit the file /etc/selinux/config and add or modify the following line:
+    If SELinux is currently set to "enforcing" or "permissive" in /etc/selinux/config,
+    the system is compliant and no changes are needed.
+
+    If SELinux is disabled or not configured, edit the file /etc/selinux/config
+    and add or modify the following line:
     
SELINUX=enforcing

     OR
     
SELINUX=permissive

@@ -49,7 +54,9 @@ fixtext: |-
 
 warnings:
     - general: |-
-        In case the SELinux is "disabled", the automated remediation will adopt a more
-        conservative approach and set it to "permissive" in order to avoid any system disruption
-        and give the administrator the opportunity to assess the impact and necessary efforts
-        before setting it to "enforcing", which is strongly recommended.
+        The automated remediation checks the SELinux configuration in /etc/selinux/config.
+        If SELinux is already set to "enforcing" or "permissive", the current state is preserved
+        and no changes are made. If SELinux is "disabled" or not configured, the remediation will
+        adopt a conservative approach and set it to "permissive" in order to avoid any system
+        disruption and give the administrator the opportunity to assess the impact and necessary
+        efforts before setting it to "enforcing", which is strongly recommended.

From 3505fb70233fca76affd7f3cf0b72f15095a0000 Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Fri, 20 Feb 2026 15:24:50 +0000
Subject: [PATCH 157/265] Remove aes192-ctr

Signed-off-by: Alan Moore 
---
 .../ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
index c04eaa8df1f4..b4be9801bb8c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,5 +1,5 @@
 {{%- if product == 'ubuntu2204' %}}
-{{%- set sshd_approved_ciphers = "aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com" %}}
+{{%- set sshd_approved_ciphers = "aes256-ctr,aes256-gcm@openssh.com,aes128-ctr,aes128-gcm@openssh.com" %}}
 {{%- else %}}
 {{%- set sshd_approved_ciphers = "aes256-ctr,aes192-ctr,aes128-ctr" %}}
 {{%- endif %}}

From 8da65e5fd8801bd85e4f0a83db1a78e6887c90d4 Mon Sep 17 00:00:00 2001
From: Eric Berry 
Date: Thu, 19 Feb 2026 14:05:09 -0800
Subject: [PATCH 158/265] Implement UBTU-22-432010 & UBTU-22-432011

---
 controls/stig_ubuntu2204.yml                 | 10 +++++++++-
 products/ubuntu2204/profiles/default.profile |  3 +--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index 0f6b991ab240..2b5385fea319 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -790,7 +790,15 @@ controls:
       levels:
           - medium
       rules:
-          - sudo_require_authentication
+          - sudo_remove_no_authenticate
+      status: automated
+
+    - id: UBTU-22-432011
+      title: Ubuntu 22.04 LTS must require users to provide a password for privilege escalation.
+      levels:
+          - medium
+      rules:
+          - sudo_remove_nopasswd
       status: automated
 
     - id: UBTU-22-432015
diff --git a/products/ubuntu2204/profiles/default.profile b/products/ubuntu2204/profiles/default.profile
index 982095129892..54a33e3d1ac9 100644
--- a/products/ubuntu2204/profiles/default.profile
+++ b/products/ubuntu2204/profiles/default.profile
@@ -582,8 +582,7 @@ selections:
     - sudo_add_use_pty
     - sudo_custom_logfile
     - sudo_remove_no_authenticate
-    - sudo_require_authentication
-    - sudo_require_reauthentication
+    - sudo_remove_nopasswd
     - sysctl_fs_suid_dumpable
     - sysctl_kernel_dmesg_restrict
     - sysctl_kernel_randomize_va_space

From 8707b455a280d4e294a1536cac204d00b98427fe Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 23 Feb 2026 10:57:06 +0200
Subject: [PATCH 159/265] Add package rsync name definition for rsync package
 for sle16

---
 .../guide/services/obsolete/service_rsyncd_disabled/rule.yml     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
index 1db77bb04a7a..d4ed1fb801e0 100644
--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
@@ -41,6 +41,7 @@ template:
         packagename@ol7: rsync
         packagename@sle12: rsync
         packagename@sle15: rsync
+        packagename@sle16: rsync
         packagename@slmicro5: rsync
         packagename@openeuler2203: rsync
         servicename@ubuntu2404: rsync

From ca9abb62653eae07b2ab42b32fd2e865aa031dd3 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 23 Feb 2026 12:27:41 +0200
Subject: [PATCH 160/265] Add tftp package definition for sle platforms

---
 .../services/obsolete/tftp/package_tftp-server_removed/rule.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index bba598123a34..1d6fbf388c10 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -2,6 +2,8 @@ documentation_complete: true
 
 {{% if 'ubuntu' in product %}}
 {{% set package_name = "tftpd-hpa" %}}
+{{% elif 'sle' in product %}}
+{{% set package_name = "tftp" %}}
 {{% else %}}
 {{% set package_name = "tftp-server" %}}
 {{% endif %}}

From c5f576e0b5b5925d68c33902b383dba287792e4d Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Wed, 18 Feb 2026 13:39:39 +0100
Subject: [PATCH 161/265] Remove nullok from common-auth on Ubuntu 22.04

Aligns with Ubuntu 22.04 STIG rule V2R7
(UBTU-22-611060 Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords)
---
 .../no_empty_passwords/ansible/shared.yml     |  2 +-
 .../no_empty_passwords/bash/shared.sh         | 12 +++++++
 .../no_empty_passwords/oval/shared.xml        |  2 +-
 .../no_empty_passwords/rule.yml               | 10 +++---
 .../tests/no_nullok.pass.sh                   |  4 +--
 .../tests/nullok_commented.pass.sh            |  4 +--
 .../tests/nullok_present_auth.fail.sh         | 35 +++++++++++++++++++
 .../tests/nullok_present_password.fail.sh     | 35 +++++++++++++++++++
 8 files changed, 93 insertions(+), 11 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
index 35dffe1f94d3..78a18739de13 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = medium
 {{% if 'ubuntu' in product %}}
-{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-auth', '/etc/pam.d/common-password']" %}}
 {{% else %}}
 {{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
 {{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index e235cdbdd4ab..90a9c6de3992 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -25,6 +25,18 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
     }
 }' "$config_file"
 
+sed -i -E '/^Auth:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Auth-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
index ddbde376b499..ac2fc52abd05 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -15,7 +15,7 @@
 {{% if 'sle' in product or 'slmicro' in product %}}
     ^/etc/pam.d/.*$
 {{% elif 'ubuntu' in product %}}
-    ^/etc/pam.d/common-password
+    ^/etc/pam.d/common-(auth|password)$
 {{% else %}}
     ^/etc/pam.d/(system|password)-auth$
 {{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
index 746e729b1057..b88e482f57ca 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -10,7 +10,7 @@ description: |-
     {{% if 'sle' in product or 'slmicro' in product%}}
     password authentication configurations in /etc/pam.d/
     {{% elif 'ubuntu' in product %}}
-    /etc/pam.d/common-password
+    /etc/pam.d/common-auth and /etc/pam.d/common-password
     {{% else %}}
     /etc/pam.d/system-auth and
     /etc/pam.d/password-auth
@@ -63,7 +63,7 @@ ocil: |-
     {{% if 'sle' in product or 'slmicro' in product %}}
     
$ grep pam_unix.so /etc/pam.d/* | grep nullok

     {{% elif 'ubuntu' in product %}}
-    
grep nullok /etc/pam.d/common-password

+    
grep nullok /etc/pam.d/common-auth /etc/pam.d/common-password

     {{% else %}}
     
$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth

     {{% endif %}}
@@ -72,10 +72,10 @@ ocil: |-
     prevent logins with empty passwords.
 
 fixtext: |-
-    Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-password file {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
+    Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-auth and common-password files {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
     passwords.
     {{% if 'ubuntu' in product %}}
-    Remove any instances of the "nullok" option in "/etc/pam.d/common-password"
+    Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password"
     {{% else %}}
     Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" and
     "/etc/pam.d/password-auth" files
@@ -85,7 +85,7 @@ fixtext: |-
     Note: Manual changes to the listed file may be overwritten by the "authselect" program.
 
 srg_requirement: |-
-    '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-password file.{{% else %}} system-auth file nor
+    '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-auth and common-password files.{{% else %}} system-auth file nor
     password-auth. {{% endif %}}'
 
 warnings:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
index 6f56a2e0ddae..d1bfb5fc8de3 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
@@ -12,9 +12,9 @@ Priority: 257
 Conflicts: unix
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
index 1c20026e7dd0..9c2ed1c87f26 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
@@ -12,9 +12,9 @@ Priority: 257
 Conflicts: unix
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass # nullok
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so # nullok
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh
new file mode 100644
index 000000000000..4468cb808777
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so nullok
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh
new file mode 100644
index 000000000000..29e3cf57fcb9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"

From 6f5574549317a289c077af216b8c4c40edb94a90 Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Tue, 24 Feb 2026 11:28:51 +0200
Subject: [PATCH 162/265] Update SLES product names

---
 CMakeLists.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9879c57cf4f2..ab899deea925 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -347,9 +347,9 @@ message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
 message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}")
 message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
-message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
-message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
-message(STATUS "SUSE 16: ${SSG_PRODUCT_SLE16}")
+message(STATUS "SLES 12: ${SSG_PRODUCT_SLE12}")
+message(STATUS "SLES 15: ${SSG_PRODUCT_SLE15}")
+message(STATUS "SLES 16: ${SSG_PRODUCT_SLE16}")
 message(STATUS "SLE Micro 5: ${SSG_PRODUCT_SLMICRO5}")
 message(STATUS "SLE Micro 6: ${SSG_PRODUCT_SLMICRO6}")
 message(STATUS "TencentOS Server 4: ${SSG_PRODUCT_TENCENTOS4}")

From 4413770ac51478659cd83ab25162136ce22b6dac Mon Sep 17 00:00:00 2001
From: svet-se 
Date: Tue, 24 Feb 2026 11:35:11 +0200
Subject: [PATCH 163/265] SLE12 update SSH Strong MACs

---
 linux_os/guide/services/ssh/sshd_strong_macs.var | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var
index 03f8dee10d54..a0a75f544ff8 100644
--- a/linux_os/guide/services/ssh/sshd_strong_macs.var
+++ b/linux_os/guide/services/ssh/sshd_strong_macs.var
@@ -15,7 +15,7 @@ options:
     cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
     cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
     cis_rhel10: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
-    cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+    cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
     cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
     cis_tencentos4: hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com
     cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

From 831616cd794ceb4dd8c5944683771b20d0ac2d25 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Tue, 24 Feb 2026 12:14:46 +0100
Subject: [PATCH 164/265] sysctl_kernel_core_pattern_empty_string: make
 implementation of the rule similar to the templated one

Ansible, BAsh, OVAL

Template not used, because empty string is tricky to implement in the current sysctl template and I decided that reengineering the whole template is not worth the result.
---
 .../ansible/shared.yml                        |  29 +++-
 .../bash/shared.sh                            |  42 ++---
 .../oval/shared.xml                           | 164 +++++-------------
 3 files changed, 85 insertions(+), 150 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
index 8d95be5ac6b1..174866b22b55 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -4,9 +4,16 @@
 # complexity = low
 # disruption = medium
 
+- name: "{{{ rule_title }}} - Set fact for sysctl paths"
+  ansible.builtin.set_fact:
+    sysctl_paths:
+      - "/etc/sysctl.d/"
+      - "/run/sysctl.d/"
+      - "/usr/local/lib/sysctl.d/"
+
 - name: "{{{ rule_title }}} - Find all files that contain kernel.core_pattern"
   ansible.builtin.shell:
-    cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$'
+    cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$'
   register: find_all_values
   check_mode: false
   changed_when: false
@@ -14,7 +21,7 @@
 
 - name: "{{{ rule_title }}} - Find all files that set kernel.core_pattern to correct value"
   ansible.builtin.shell:
-    cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$'
+    cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$'
   register: find_correct_value
   check_mode: false
   changed_when: false
@@ -23,15 +30,23 @@
 - name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from config files"
   ansible.builtin.replace:
     path: '{{ item | split(":") | first }}'
-    regexp: ^[\s]*kernel.core_pattern
+    regexp: '^[\s]*kernel.core_pattern'
     replace: '#kernel.core_pattern'
   loop: '{{ find_all_values.stdout_lines }}'
   when: find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length
 
+- name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from /etc/sysctl.conf"
+  ansible.builtin.replace:
+    path: "{{ item }}"
+    regexp: '^[\s]*kernel.core_pattern'
+    replace: '#kernel.core_pattern'
+  with_fileglob:
+    - "/etc/sysctl.conf"
+
 - name: "{{{ rule_title }}} - Ensure sysctl kernel.core_pattern is set to empty"
   ansible.posix.sysctl:
-    name: kernel.core_pattern
-    value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
-    sysctl_file: "/etc/sysctl.conf"
+    name: "kernel.core_pattern"
+    value: ' '  # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
+    sysctl_file: "/etc/sysctl.d/kernel_core_pattern.conf"
     state: present
-    reload: true
+    reload: yes
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
index 2b2f1cd70b66..301e434e8c03 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
@@ -5,49 +5,39 @@
 # disruption = medium
 
 # Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+
+  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
+  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
 
   matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
       # comment out "kernel.core_pattern" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
+      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
 done
 
+#
+# Set sysctl config file which to save the desired value
+#
+
+SYSCONFIG_FILE='/etc/sysctl.d/kernel_core_pattern.conf'
+
 #
 # Set runtime for kernel.core_pattern
 #
-/sbin/sysctl -q -n -w kernel.core_pattern=""
+if {{{ bash_not_bootc_build() }}} ; then
+    /sbin/sysctl -q -n -w kernel.core_pattern=""
+fi
 
 #
 # If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
 #	else, add "kernel.core_pattern =" to /etc/sysctl.conf
 #
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/sysctl.conf"; then
-    sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
 
-# shellcheck disable=SC2059
-printf -v formatted_output "%s=" "$stripped_key"
+sed -i --follow-symlinks "/^kernel.core_pattern/d" /etc/sysctl.conf
 
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
-else
-    # \n is precaution for case where file ends without trailing newline
-
-    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
-fi
+{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^kernel.core_pattern', '', cce_identifiers=cce_identifiers) }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
index 3fba84e44eac..8005c5990f02 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
@@ -37,155 +37,68 @@
   
 
 
+
 
   
     {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.", rule_title=rule_title) }}}
-    
-      
-        
-        
-        
-        
+    
+      
+      
+        
+        
       
-      
     
   
 
-  
+  
-    
+    
     
   
 
-  
-    
-    
-
+  
+  
+    
   
 
-  
-    
+  
+  
+    
     
-
   
-{{% if target_oval_version >= [5, 11] %}}
-  
-    
-    
-  
-
-  
-    local_var_sysctl_kernel_core_pattern_empty_string_counter
-  
-
-  
-    1
-  
-
-  
-    
-      
-        
-      
-    
-  
-
-  
-    
-      object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered
-      state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink
-    
-  
 
-  
-    
-  
-
-  
-  
-  
-    
-      
-    
-  
-
-  
-    
-      var_obj_symlink_sysctl_kernel_core_pattern_empty_string
-      var_obj_blank_sysctl_kernel_core_pattern_empty_string
-    
-  
-
-  
-    local_var_blank_path_sysctl_kernel_core_pattern_empty_string
-  
-
-  
-    
-  
-
-  
-    local_var_symlinks_sysctl_kernel_core_pattern_empty_string
-  
-  
-
-  
-    
-      
-    
-  
-
-  
-  
-    
-    state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string
-  
-
-  
-  
-    ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$
-  
-{{% endif %}}
-  
-    
-  
-
-  
-  
+  
+  
     
-      object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string
-      object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string
+      object_static_etc_lib_sysctls_sysctl_kernel_core_pattern_empty_string
+      object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern_empty_string
     
   
 
-  
+  
     
       object_static_sysctl_sysctl_kernel_core_pattern_empty_string
       object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string
     
   
 
-  
+  
     
+      object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern_empty_string
       object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string
     
   
 
+  
   
     /etc/sysctl.conf
     ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$
@@ -205,6 +118,23 @@
     ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$
     1
   
+
+  
+    /usr/local/lib/sysctl.d
+    ^.*\.conf$
+    ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$
+    1
+  
+
+  
+  
+    /usr/lib/sysctl.d
+    ^.*\.conf$
+    ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$
+    1
+  
+
+  
   
     
   

From 5ad5bc68ea59f739c43d7bdc0a7ae7da0cb9e359 Mon Sep 17 00:00:00 2001
From: Gabriel Becker 
Date: Mon, 23 Feb 2026 11:20:45 +0100
Subject: [PATCH 165/265] Fix drop in template to ignore commented out lines.

In cases where a compliant commented out value was found,

the script would consider a found=true directive and would then ignore
the rest of the remediation.

for example, if it would find

[Journal]
\#ForwardToSyslog=no

for the rule journald_disable_forward_to_syslog, then it would not run
the entire remediation with the proper fix.

Detailed description of implemented changes

Anchor at Start of Line: Added ^ to grep and sed patterns. This ensures that a line starting with #{{{ key }}} will not match, as the regex now expects the line to start with either whitespace or the key itself.

Multiline Mode for Grep: Added (?m) to the grep -P commands. This flag makes the ^ anchor match the start of every line within the file buffer instead of just the very beginning of the file.

Selective Sed Replacement: The sed command now specifically selects the line to edit by matching the un-commented key at the start of a line (/^[[:space:]]*{{{ key }}}/) before performing the substitution (s/=.*/.../).

Active Value Verification: The second grep check now verifies if the active configuration matches the target value, preventing it from seeing a commented-out correct value and wrongly deciding that no action is needed.
---
 shared/macros/10-bash.jinja                        | 14 +++++++-------
 .../commented_out_correct_value_master.fail.sh     | 13 +++++++++++++
 .../bash/test_bash_ensure_ini_config.bats.jinja    |  6 +++---
 3 files changed, 23 insertions(+), 10 deletions(-)
 create mode 100644 shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7a92cfd8cdb7..7ad8a71c0246 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2253,23 +2253,23 @@ for f in $(echo -n "{{{ files }}}"); do
     fi
 
     # find key in section and change value
-    if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
-        if ! grep -qPz "{{{ key }}}={{{ value }}}" "$f"; then
+    if grep -qzosP "(?m)^[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*{{{ key }}}[[:space:]]*=[[:space:]]*{{{ value }}}" "$f"; then
 {{% if no_quotes %}}
-            sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value | replace("/", "\/") }}}/" "$f"
+            sed -i "/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1{{{ value | replace("/", "\/") }}}/" "$f"
 {{% else %}}
-            sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value | replace("/", "\/") }}}"/' "$f"
+            sed -i '/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1"{{{ value | replace("/", "\/") }}}"/' "$f"
 {{% endif %}}
         fi
 
         found=true
 
     # find section and add key = value to it
-    elif grep -qs "[[:space:]]*\[{{{ section }}}\]" "$f"; then
+    elif grep -qs "^[[:space:]]*\[{{{ section }}}\]" "$f"; then
 {{% if no_quotes %}}
-            sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f"
+            sed -i "/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f"
 {{% else %}}
-            sed -i '/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f"
+            sed -i '/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f"
 {{% endif %}}
             found=true
     fi
diff --git a/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh
new file mode 100644
index 000000000000..90b69e6f4047
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+SECTION="{{{ SECTION }}}"
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}"
+
+# This setup tests if remediation is "tricked" by a commented-out correct value.
+# It sets an active bad value and a commented-out good value.
+{{% if NO_QUOTES %}}
+echo -e "[$SECTION]\n$PARAM=badval\n#$PARAM=$VALUE" > "$MASTER_CFG_FILE"
+{{% else %}}
+echo -e "[$SECTION]\n$PARAM=\"badval\"\n#$PARAM=\"$VALUE\"" > "$MASTER_CFG_FILE"
+{{% endif %}}
diff --git a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
index 34a90ce2398b..95dfa0acb8da 100644
--- a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
+++ b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
@@ -46,7 +46,7 @@ teardown() {
 
 @test "bash_ensure_ini_config - Basic value remediation" {
     printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true"
 
@@ -57,7 +57,7 @@ teardown() {
 @test "bash_ensure_ini_config - Value remediation in multiple files" {
     printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf
     printf "[pam]\npam_cert_auth = false\n" > pam_cert_auth.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf pam_cert_auth.conf" "pam" "pam_cert_auth" "true"
 
@@ -70,7 +70,7 @@ teardown() {
 
 @test "bash_ensure_ini_config - No remediation happened" {
     printf "[pam]\npam_cert_auth = true\n" > sssd_test/sssd.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true"
 

From 6e0a3e7ec27fa58788d013daf5bd7c08afc07c3d Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Tue, 24 Feb 2026 11:38:59 +0000
Subject: [PATCH 166/265] Add /sbin/audisp-syslog /sbin/audisp-remote
 /sbin/audispd-zos-remote to audit-binaries

Signed-off-by: Alan Moore 
---
 product_properties/10-audit-binaries.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/product_properties/10-audit-binaries.yml b/product_properties/10-audit-binaries.yml
index 9fa2da7022e7..bf0762d2f54a 100644
--- a/product_properties/10-audit-binaries.yml
+++ b/product_properties/10-audit-binaries.yml
@@ -11,9 +11,13 @@ default:
     - /sbin/audispd
     {{% endif %}}
     - /sbin/augenrules
-    {{% if 'rhel' in product or product == 'sle16' %}}
+    {{% if 'rhel' in product or product == 'sle16' or product == "ubuntu2204" %}}
     - /sbin/audisp-syslog
     {{% endif %}}
+    {{% if product == "ubuntu2204" %}}
+    - /sbin/audisp-remote
+    - /sbin/audispd-zos-remote
+    {{% endif %}}
 overrides:
 {{% if product == 'sle15' %}}
   audit_binaries:

From c01bd8c9372d927e97cbe61602d920d408501860 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 11 Feb 2026 16:41:57 +0100
Subject: [PATCH 167/265] Fix a typo

The correct text is "users".
---
 .../tests/banner_etc_issue_net_cis_recommended.pass.sh      | 2 +-
 .../tests/banner_etc_motd_cis_recommended.pass.sh           | 2 +-
 .../banner_etc_motd/tests/banner_etc_motd_default.pass.sh   | 4 ++--
 .../system/accounts/accounts-banners/motd_banner_text.var   | 6 +++---
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh
index a4d328e76565..5d58cbc2588e 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh
@@ -2,4 +2,4 @@
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
 # cis_default banner
-echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
+echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh
index 1cacc28d7328..049470d872e4 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh
@@ -2,4 +2,4 @@
 # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
 
 # cis_default banner
-echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd
+echo "Authorized users only. All activity may be monitored and reported." > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh
index 8aeedeb1b322..4b7e6447efc9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-# default banner from motd_banner_text.var
-echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd
+# default banner from motd_banner_contents.var
+echo "Authorized users only. All activity may be monitored and reported." > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
index 6c7fff79ebc7..a71de22c9c6f 100644
--- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
@@ -16,12 +16,12 @@ options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
 # There is a generic content in case a remediation is necessary.
 # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
-    cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
-    cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+    cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+    cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters
     dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
     dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$
     dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
     dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$
     usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$
-    default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+    default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$

From c664a95e122aced58489f67f1f2f284b6e754a99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 11 Feb 2026 16:46:44 +0100
Subject: [PATCH 168/265] Introduce new variables

These new variables will contain the actual text of the login banner.
The variables will be used in multiple rules.
They will be used only in remediations, not in OVALs.
Using a variable will allow content users to specify the exact login
banner text they want to have on the system, in contrast to specifying
only regular expressions matching the text.
---
 .../dconf_login_banner_contents.var           | 25 +++++++++++++++++++
 .../login_banner_contents.var                 | 25 +++++++++++++++++++
 .../accounts-banners/motd_banner_contents.var | 25 +++++++++++++++++++
 .../remote_login_banner_contents.var          | 25 +++++++++++++++++++
 4 files changed, 100 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var

diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
new file mode 100644
index 000000000000..d4f1b4bc0fc5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Login Banner Verbiage'
+
+description: >-
+    Enter an appropriate login banner text for your organization.
+    This variable is used only in remediations.
+    In OVAL checks a regular expression specified in the login_banner_text variable is used instead.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 'Authorized users only. All activity may be monitored and reported.'
+# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
+# There is a generic content in case a remediation is necessary.
+    cis_default: 'Authorized users only. All activity may be monitored and reported.'
+    dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+    dod_short: 'I''ve read & consent to terms in IS user agreem''t.'
+    dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.'
+    usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.'
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var
new file mode 100644
index 000000000000..d39a75fd02fd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Login Banner Verbiage'
+
+description: >-
+    Enter an appropriate login banner text for your organization.
+    This variable is used only in remediations.
+    In OVAL checks a regular expression specified in the login_banner_text variable is used instead.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 'Authorized users only. All activity may be monitored and reported.'
+# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
+# There is a generic content in case a remediation is necessary.
+    cis_default: 'Authorized users only. All activity may be monitored and reported.'
+    dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.'
+    dod_short: 'I''ve read & consent to terms in IS user agreem''t.'
+    dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.'
+    usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.'
diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var
new file mode 100644
index 000000000000..07fab0040f52
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'MotD Banner Verbiage'
+
+description: >-
+    Enter an appropriate login banner text for your organization.
+    This variable is used only in remediations.
+    In OVAL checks a regular expression specified in the login_banner_text variable is used instead.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 'Authorized users only. All activity may be monitored and reported.'
+# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
+# There is a generic content in case a remediation is necessary.
+    cis_default: 'Authorized users only. All activity may be monitored and reported.'
+    dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.'
+    dod_short: 'I''ve read & consent to terms in IS user agreem''t.'
+    dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.'
+    usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.'
diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var
new file mode 100644
index 000000000000..c3d740df9c6f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Remote Login Banner Verbiage'
+
+description: >-
+    Enter an appropriate login banner text for your organization.
+    This variable is used only in remediations.
+    In OVAL checks a regular expression specified in the login_banner_text variable is used instead.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 'Authorized users only. All activity may be monitored and reported.'
+# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
+# There is a generic content in case a remediation is necessary.
+    cis_default: 'Authorized users only. All activity may be monitored and reported.'
+    dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.'
+    dod_short: 'I''ve read & consent to terms in IS user agreem''t.'
+    dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.'
+    usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.'

From 0337d9fbb01054d36396ac2b957938bac1aa9314 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 11 Feb 2026 16:55:43 +0100
Subject: [PATCH 169/265] Use login_banner_contents variable in rule
 banner_etc_issue

Use login_banner_contents variable in remediations in rule
banner_etc_issue.
Also, add test scenarios to test the ability to parametrize
the rule with a custom banner text.
---
 controls/ccn_ol9.yml                          |  1 +
 controls/cis_al2023.yml                       |  1 +
 controls/cis_sle12.yml                        |  1 +
 controls/cis_sle15.yml                        |  1 +
 controls/general_sle15.yml                    |  1 +
 controls/general_slmicro5.yml                 |  2 ++
 controls/nist_rhcos4.yml                      |  1 +
 controls/srg_gpos.yml                         |  1 +
 controls/std_kylinserver10.yml                |  1 +
 controls/std_tencentos4.yml                   |  1 +
 controls/stig_ol9.yml                         |  1 +
 controls/stig_slmicro5.yml                    |  1 +
 .../banner_etc_issue/ansible/shared.yml       |  6 ++--
 .../banner_etc_issue/bash/shared.sh           | 28 +++----------------
 .../banner_etc_issue_disa_dod_short.fail.sh   |  2 +-
 .../banner_etc_issue_disa_dod_short.pass.sh   |  2 +-
 .../tests/custom_banner.fail.sh               |  8 ++++++
 .../tests/custom_banner.pass.sh               |  8 ++++++
 .../accounts-banners/login_banner_text.var    | 16 +++++++----
 products/anolis23/profiles/standard.profile   |  1 +
 products/anolis8/profiles/standard.profile    |  1 +
 products/fedora/profiles/ospp.profile         |  1 +
 products/ol7/profiles/ncp.profile             |  1 +
 products/ol7/profiles/stig.profile            |  1 +
 products/ol8/profiles/stig.profile            |  1 +
 .../openembedded/profiles/expanded.profile    |  1 +
 .../openembedded/profiles/standard.profile    |  1 +
 products/rhel10/controls/cis_rhel10.yml       |  1 +
 products/rhel8/controls/cis_rhel8.yml         |  1 +
 products/rhel8/controls/stig_rhel8.yml        |  1 +
 products/rhel8/profiles/rht-ccp.profile       |  1 +
 products/rhel9/controls/ccn_rhel9.yml         |  1 +
 products/rhel9/controls/stig_rhel9.yml        |  1 +
 products/rhv4/profiles/rhvh-stig.profile      |  1 +
 products/sle12/profiles/stig.profile          |  1 +
 products/sle15/profiles/stig.profile          |  1 +
 36 files changed, 65 insertions(+), 35 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh

diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
index 9c0756c3efa1..d2496dc37af2 100644
--- a/controls/ccn_ol9.yml
+++ b/controls/ccn_ol9.yml
@@ -625,6 +625,7 @@ controls:
           - dconf_gnome_login_banner_text
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_default
+          - login_banner_contents=cis_default
           - motd_banner_text=cis_default
           - remote_login_banner_text=cis_default
 
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
index 666a5322499e..af8a7013daf7 100644
--- a/controls/cis_al2023.yml
+++ b/controls/cis_al2023.yml
@@ -477,6 +477,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.7.3
       title: Ensure remote login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index d842d6e6c3c6..57f6f3438318 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -467,6 +467,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.8.1.3
       title: Ensure remote login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 97c61f63374e..f785c46e7270 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -465,6 +465,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.8.1.3
       title: Ensure remote login warning banner is configured properly (Automated)
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
index 73dca83f3e70..9d1f03215c02 100644
--- a/controls/general_sle15.yml
+++ b/controls/general_sle15.yml
@@ -479,6 +479,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: SLES-15-151050045
       title: Modify the System Login Banner for Remote Connections
diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml
index 8a83a0b428fb..c63758f12879 100644
--- a/controls/general_slmicro5.yml
+++ b/controls/general_slmicro5.yml
@@ -278,6 +278,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: SLEM-5-SET-08010300
       title: Modify the System Login Banner for Remote Connections
@@ -1021,6 +1022,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
           - sshd_enable_warning_banner
       status: automated
 
diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml
index 02690cb34dc1..6bee855d39fa 100644
--- a/controls/nist_rhcos4.yml
+++ b/controls/nist_rhcos4.yml
@@ -1228,6 +1228,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
       description: "The information system:\n a. Displays to users [Assignment: organization-defined\
           \ system use notification message or banner] before granting access to the system that provides\
           \ privacy and security notices consistent with applicable federal laws, Executive Orders, directives,\
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
index 5be978311df7..c44f13af6f94 100644
--- a/controls/srg_gpos.yml
+++ b/controls/srg_gpos.yml
@@ -26,5 +26,6 @@ controls:
           - var_accounts_authorized_local_users_regex=rhel9
           - var_account_disable_post_pw_expiration=35
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
           - var_authselect_profile=sssd
           - var_auditd_name_format=stig
diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml
index 8e101a908189..fbcb9f3e0d81 100644
--- a/controls/std_kylinserver10.yml
+++ b/controls/std_kylinserver10.yml
@@ -119,6 +119,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.14
       title: ensure-message-of-the-day-is-configured-properly
diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml
index 06aa7e4656de..7ad7acdc48cd 100644
--- a/controls/std_tencentos4.yml
+++ b/controls/std_tencentos4.yml
@@ -123,6 +123,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.4.3
       title: Ensure remote login warning banner is configured properly
diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
index 9d8522165fb6..256159f7520f 100644
--- a/controls/stig_ol9.yml
+++ b/controls/stig_ol9.yml
@@ -53,6 +53,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=dod_default
+          - login_banner_contents=dod_default
       status: automated
 
     - id: OL09-00-000020
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index d39b265fff84..dbc58b097ca7 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -36,6 +36,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
       status: automated
 
     - id: SLEM-05-211025
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index 7b15061e7aa4..a43e1b6a25c9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -3,13 +3,13 @@
 # strategy = unknown
 # complexity = low
 # disruption = medium
-{{{ ansible_instantiate_variables("login_banner_text") }}}
+{{{ ansible_instantiate_variables("login_banner_contents") }}}
 
 {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] -%}}
 - name: "{{{ rule_title }}} - Ensure Correct Banner"
   ansible.builtin.copy:
     dest: /etc/issue
-    content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
+    content: "{{ login_banner_contents | replace('\\n', '\n') }}\n"
 {{%- else -%}}
 - name: {{{ rule_title }}} Ensure issue-generator is Installed
   ansible.builtin.package:
@@ -19,7 +19,7 @@
 - name: "{{{ rule_title }}} - Ensure Correct Banner"
   ansible.builtin.copy:
     dest: /etc/issue.d/99-oscap-setting
-    content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
+    content: "{{ login_banner_contents }}\n"
 
 - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change"
   ansible.builtin.systemd:
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 177d34e2a3b7..6d0e75f418fa 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -1,31 +1,11 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux
+# platform = multi_platform_all
 
-read -r -d '' login_banner_text <<'EOF' || true
-(bash-populate login_banner_text)
-EOF
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("login_banner_text") }}}
-# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
-{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
-formatted=$(echo "$login_banner_text" | fold -sw 80)
+login_banner_contents=$(echo "(bash-populate login_banner_contents)" | sed 's/\\n/\n/g')
 
 {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] %}}
-cat </etc/issue
-$formatted
-EOF
+echo "$login_banner_contents" > /etc/issue
 {{%- else %}}
 {{{ bash_package_install("issue-generator") }}}
-cat </etc/issue.d/99-oscap-setting
-$formatted
-EOF
+echo "$login_banner_contents" > /etc/issue.d/99-oscap-setting
 {{{ bash_service_command("restart", "issue-generator") }}}
 {{%- endif -%}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh
index 2b775d15e0eb..0623faba0be8 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
+# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't.
 
 # dod_short banner
 echo "Hello, how are you" > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
index 3b8a52eed5d8..b3ea66d844d9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
+# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't.
 
 # dod_short banner
 echo "I've read & consent to terms in IS user agreem't." > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh
new file mode 100644
index 000000000000..59d30c04fdd1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}}
+{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}}
+# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}}
+
+cat > /etc/issue <<'EOF'
+This is a test banner.
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh
new file mode 100644
index 000000000000..4b9bd219e47e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}}
+{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}}
+# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}}
+
+cat > /etc/issue <<'EOF'
+{{{ ts_custom_banner }}}
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index a8a9e9337576..6a44de843411 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -1,21 +1,25 @@
 documentation_complete: true
 
-title: 'Login Banner Verbiage'
+title: Login Banner Verbiage Regular Expression
 
-description: |-
-    Enter an appropriate login banner for your organization. Please note that new lines must
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+description: >-
+    Enter an appropriate login banner regular expression for your organization.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+    This regular expression is used only in OVAL checks.
+    In remediations the login_banner_contents variable is used instead.
+    For information about how to generate banner regular expression for your tailoring files,
+    see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
 
 type: string
 
 operator: equals
 
-interactive: false
+interactive: true
 
 options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
 # There is a generic content in case a remediation is necessary.
-# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
+# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
     cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
     cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters
diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile
index 2cf3bfda5a31..90470b4d6347 100644
--- a/products/anolis23/profiles/standard.profile
+++ b/products/anolis23/profiles/standard.profile
@@ -375,6 +375,7 @@ selections:
     ### Level 1
     - banner_etc_issue
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
 
     ## 4.3-ensure-remote-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile
index b60cba9e23d0..c6500a487a14 100644
--- a/products/anolis8/profiles/standard.profile
+++ b/products/anolis8/profiles/standard.profile
@@ -375,6 +375,7 @@ selections:
     ### Level 1
     - banner_etc_issue
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
 
     ## 4.3-ensure-remote-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
index 601f0e2375ec..4abcc1aee72e 100644
--- a/products/fedora/profiles/ospp.profile
+++ b/products/fedora/profiles/ospp.profile
@@ -103,6 +103,7 @@ selections:
     - rsyslog_remote_loghost
     - auditd_audispd_encrypt_sent_records
     - login_banner_text=usgcb_default
+    - login_banner_contents=usgcb_default
     - sshd_enable_warning_banner
     - banner_etc_issue
     - sshd_rekey_limit
diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile
index 2acb9c798f04..29a30bf9aebd 100644
--- a/products/ol7/profiles/ncp.profile
+++ b/products/ol7/profiles/ncp.profile
@@ -36,6 +36,7 @@ extends: ospp
 selections:
     - installed_OS_is_vendor_supported
     - login_banner_text=usgcb_default
+    - login_banner_contents=usgcb_default
     - inactivity_timeout_value=15_minutes
     - var_password_pam_minlen=15
     - accounts_password_all_shadowed
diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile
index 133832c72af2..39772872a2cc 100644
--- a/products/ol7/profiles/stig.profile
+++ b/products/ol7/profiles/stig.profile
@@ -8,6 +8,7 @@ description: |-
 
 selections:
     - login_banner_text=dod_banners
+    - login_banner_contents=dod_default
     - inactivity_timeout_value=15_minutes
     - var_screensaver_lock_delay=5_seconds
     - sshd_idle_timeout_value=10_minutes
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index 9aa7aad5ac4f..2b70b14f26a5 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -61,6 +61,7 @@ selections:
     - var_auditd_disk_full_action=ol8
     - var_sssd_certificate_verification_digest_function=sha1
     - login_banner_text=dod_banners
+    - login_banner_contents=dod_default
     - var_authselect_profile=sssd
     - var_multiple_time_servers=stig
 
diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile
index 13db15a9530b..9e289a1b1782 100644
--- a/products/openembedded/profiles/expanded.profile
+++ b/products/openembedded/profiles/expanded.profile
@@ -114,6 +114,7 @@ selections:
     - motd_banner_text=cis_banners
     - banner_etc_issue
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
     - file_groupowner_etc_motd
     - file_owner_etc_motd
     - file_permissions_etc_motd
diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
index 37547a454e83..f8ecfa88b693 100644
--- a/products/openembedded/profiles/standard.profile
+++ b/products/openembedded/profiles/standard.profile
@@ -109,6 +109,7 @@ selections:
     - motd_banner_text=cis_banners
     - banner_etc_issue
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
     - file_groupowner_etc_motd
     - file_owner_etc_motd
     - file_permissions_etc_motd
diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 8269196f2993..59517fa5921f 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -707,6 +707,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.8.2
       title: Ensure GDM disable-user-list is configured (Automated)
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index cbe5d4d6454e..56fadc235366 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -741,6 +741,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.8.2
       title: Ensure GDM disable-user-list is configured (Automated)
diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml
index a50b9e2e66a3..b8948e8d925c 100644
--- a/products/rhel8/controls/stig_rhel8.yml
+++ b/products/rhel8/controls/stig_rhel8.yml
@@ -67,6 +67,7 @@ controls:
           - var_auditd_disk_full_action=rhel8
           - var_sssd_certificate_verification_digest_function=sha1
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
           - var_authselect_profile=sssd
           - var_multiple_time_servers=stig
           - var_time_service_set_maxpoll=18_hours
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 4e67d3893c0c..cff0b644c55a 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -27,6 +27,7 @@ selections:
     - var_password_pam_difok=3
     - var_password_pam_unix_remember=5
     - var_accounts_user_umask=077
+    - login_banner_contents=usgcb_default
     - login_banner_text=usgcb_default
     - partition_for_tmp
     - partition_for_var
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
index 6f0dcc2928f3..e382db0b1e65 100644
--- a/products/rhel9/controls/ccn_rhel9.yml
+++ b/products/rhel9/controls/ccn_rhel9.yml
@@ -639,6 +639,7 @@ controls:
           - dconf_gnome_login_banner_text
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
           - remote_login_banner_text=cis_banners
 
     - id: A.11.SEC-RHEL5
diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml
index 39bb4a26a47e..a4c2007a6cff 100644
--- a/products/rhel9/controls/stig_rhel9.yml
+++ b/products/rhel9/controls/stig_rhel9.yml
@@ -49,6 +49,7 @@ controls:
       rules:
           - banner_etc_issue
           - login_banner_text=dod_banners
+          - login_banner_contents=dod_default
       status: automated
 
     - id: RHEL-09-211030
diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
index ec2dd7bdbfb5..a0c8bc01d309 100644
--- a/products/rhv4/profiles/rhvh-stig.profile
+++ b/products/rhv4/profiles/rhvh-stig.profile
@@ -17,6 +17,7 @@ description: |-
 selections:
     - installed_OS_is_FIPS_certified
     - login_banner_text=dod_banners
+    - login_banner_contents=dod_default
     - inactivity_timeout_value=15_minutes
     - var_password_pam_minlen=15
     - accounts_password_pam_minlen
diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile
index 33b341569721..e3889a4e3f6b 100644
--- a/products/sle12/profiles/stig.profile
+++ b/products/sle12/profiles/stig.profile
@@ -32,6 +32,7 @@ selections:
     - var_password_pam_ucredit=1
     - var_accounts_maximum_age_login_defs=60
     - login_banner_text=dod_banners
+    - login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled
diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile
index e6e28fc03306..302e60006999 100644
--- a/products/sle15/profiles/stig.profile
+++ b/products/sle15/profiles/stig.profile
@@ -31,6 +31,7 @@ selections:
     - var_accounts_maximum_age_login_defs=60
     - var_password_pam_delay=4000000
     - login_banner_text=dod_banners
+    - login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled

From f6062eec729f74c2419bd4e2bd8772e4da8d7f94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 12 Feb 2026 09:21:22 +0100
Subject: [PATCH 170/265] Use motd_banner_contents variable in rule
 banner_etc_motd

Use motd_banner_contents variable in remediations in rule
banner_etc_motd.
---
 controls/ccn_ol9.yml                          |  1 +
 controls/cis_al2023.yml                       |  1 +
 controls/cis_sle12.yml                        |  1 +
 controls/cis_sle15.yml                        |  1 +
 controls/general_sle15.yml                    |  1 +
 controls/general_slmicro5.yml                 |  1 +
 controls/std_kylinserver10.yml                |  3 ++-
 controls/std_tencentos4.yml                   |  1 +
 .../banner_etc_motd/ansible/shared.yml        |  4 ++--
 .../banner_etc_motd/bash/shared.sh            | 23 +++----------------
 .../banner_etc_motd/oval/shared.xml           |  2 +-
 .../accounts-banners/motd_banner_text.var     | 14 +++++++----
 products/anolis23/profiles/standard.profile   |  3 ++-
 products/anolis8/profiles/standard.profile    |  3 ++-
 .../openembedded/profiles/expanded.profile    |  1 +
 .../openembedded/profiles/standard.profile    |  1 +
 products/rhel9/controls/ccn_rhel9.yml         |  2 ++
 products/sle15/profiles/pcs-hardening.profile |  3 +++
 18 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
index d2496dc37af2..821a5e7b3e73 100644
--- a/controls/ccn_ol9.yml
+++ b/controls/ccn_ol9.yml
@@ -627,6 +627,7 @@ controls:
           - login_banner_text=cis_default
           - login_banner_contents=cis_default
           - motd_banner_text=cis_default
+          - motd_banner_contents=cis_default
           - remote_login_banner_text=cis_default
 
     - id: A.11.SEC-OL5
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
index af8a7013daf7..896ecc8c132b 100644
--- a/controls/cis_al2023.yml
+++ b/controls/cis_al2023.yml
@@ -468,6 +468,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.7.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 57f6f3438318..2e3265d21970 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -457,6 +457,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.8.1.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index f785c46e7270..03efc7f8a40d 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -455,6 +455,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.8.1.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
index 9d1f03215c02..9e40d24e3492 100644
--- a/controls/general_sle15.yml
+++ b/controls/general_sle15.yml
@@ -470,6 +470,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: SLES-15-151050030
       title: Modify the System Login Banner
diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml
index c63758f12879..ede217788fc0 100644
--- a/controls/general_slmicro5.yml
+++ b/controls/general_slmicro5.yml
@@ -269,6 +269,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: SLEM-5-SET-08010200
       title: Modify the System Login Banner
diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml
index fbcb9f3e0d81..785c64550d9e 100644
--- a/controls/std_kylinserver10.yml
+++ b/controls/std_kylinserver10.yml
@@ -128,7 +128,8 @@ controls:
       status: automated
       rules:
           - banner_etc_motd
-          - login_banner_text=cis_banners
+          - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.15
       title: Ensure sshd PermitRootLogin is disabled (Automated)
diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml
index 7ad7acdc48cd..8125bb9a567d 100644
--- a/controls/std_tencentos4.yml
+++ b/controls/std_tencentos4.yml
@@ -114,6 +114,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.4.2
       title: Ensure local login warning banner is configured properly
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
index 252618dedd57..8a3cc3128262 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
@@ -3,9 +3,9 @@
 # strategy = unknown
 # complexity = low
 # disruption = medium
-{{{ ansible_instantiate_variables("motd_banner_text") }}}
+{{{ ansible_instantiate_variables("motd_banner_contents") }}}
 
 - name: "{{{ rule_title }}} - ensure correct banner"
   ansible.builtin.copy:
     dest: /etc/motd
-    content: '{{{ ansible_deregexify_banner_etc_issue("motd_banner_text") }}}'
+    content: "{{ motd_banner_contents | replace('\\n', '\n') }}\n"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
index f8f5e59a2420..1f8d36fe3ce6 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
@@ -1,21 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux
+# platform = multi_platform_all
 
-{{{ bash_instantiate_variables("motd_banner_text") }}}
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("motd_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("motd_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("motd_banner_text") }}}
-# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
-{{{ bash_deregexify_banner_newline("motd_banner_text", "\\n") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("motd_banner_text") }}}
-formatted=$(echo "$motd_banner_text" | fold -sw 80)
-
-cat </etc/motd
-$formatted
-EOF
+motd_banner_contents=$(echo "(bash-populate motd_banner_contents)" | sed 's/\\n/\n/g')
+echo "$motd_banner_contents" > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
index be13d1d65419..dbfadc63d9ec 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
@@ -15,7 +15,7 @@
       /etc/motd
   
 
-  
+  
     
     
   
diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
index a71de22c9c6f..8b6fdbfc7b2d 100644
--- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
@@ -1,16 +1,20 @@
 documentation_complete: true
 
-title: 'MotD Banner Verbiage'
+title: Motd Banner Verbiage Regular Expression
 
-description: |-
-    Enter an appropriate login banner for your organization. Please note that new lines must
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+description: >-
+    Enter an appropriate login banner regular expression for your organization.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+    This regular expression is used only in OVAL checks.
+    In remediations the motd_banner_contents variable is used instead.
+    For information about how to generate banner regular expression for your tailoring files,
+    see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
 
 type: string
 
 operator: equals
 
-interactive: false
+interactive: true
 
 options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile
index 90470b4d6347..69e8d39628fc 100644
--- a/products/anolis23/profiles/standard.profile
+++ b/products/anolis23/profiles/standard.profile
@@ -369,7 +369,8 @@ selections:
     ## 4.1-ensure-message-of-the-day-is-configured-properly
     ### Level 1
     - banner_etc_motd
-    - login_banner_text=cis_banners
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
 
     ## 4.2-ensure-local-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile
index c6500a487a14..91f13490b1ab 100644
--- a/products/anolis8/profiles/standard.profile
+++ b/products/anolis8/profiles/standard.profile
@@ -369,7 +369,8 @@ selections:
     ## 4.1-ensure-message-of-the-day-is-configured-properly
     ### Level 1
     - banner_etc_motd
-    - login_banner_text=cis_banners
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
 
     ## 4.2-ensure-local-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile
index 9e289a1b1782..a43e6745f40c 100644
--- a/products/openembedded/profiles/expanded.profile
+++ b/products/openembedded/profiles/expanded.profile
@@ -112,6 +112,7 @@ selections:
     - service_dovecot_disabled
     - banner_etc_motd
     - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     - banner_etc_issue
     - login_banner_text=cis_banners
     - login_banner_contents=cis_default
diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
index f8ecfa88b693..d183617a264b 100644
--- a/products/openembedded/profiles/standard.profile
+++ b/products/openembedded/profiles/standard.profile
@@ -107,6 +107,7 @@ selections:
     - service_dovecot_disabled
     - banner_etc_motd
     - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     - banner_etc_issue
     - login_banner_text=cis_banners
     - login_banner_contents=cis_default
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
index e382db0b1e65..bc97d06e8ddc 100644
--- a/products/rhel9/controls/ccn_rhel9.yml
+++ b/products/rhel9/controls/ccn_rhel9.yml
@@ -635,6 +635,8 @@ controls:
           - banner_etc_issue
           - banner_etc_issue_net
           - banner_etc_motd
+          - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - sshd_enable_warning_banner_net
diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile
index 69da010c6d09..31bccccc320d 100644
--- a/products/sle15/profiles/pcs-hardening.profile
+++ b/products/sle15/profiles/pcs-hardening.profile
@@ -31,6 +31,9 @@ selections:
     - var_password_pam_delay=4000000
     #- login_banner_text=dod_banners
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled

From eb7fda8e25c0b0a4455db971b9505cd713d222b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 12 Feb 2026 09:57:17 +0100
Subject: [PATCH 171/265] Use remote_login_banner_contents variable in rule
 banner_etc_issue_net

Use remote_login_banner_contents variable in remediations in rule
banner_etc_issue_net.
Also, add test scenarios to test the ability to parametrize
the rule with a custom banner text.
---
 controls/ccn_ol9.yml                          |  1 +
 controls/cis_al2023.yml                       |  1 +
 controls/cis_sle12.yml                        |  1 +
 controls/cis_sle15.yml                        |  1 +
 controls/general_sle15.yml                    |  1 +
 controls/general_slmicro5.yml                 |  1 +
 controls/std_tencentos4.yml                   |  1 +
 controls/stig_ubuntu2204.yml                  |  1 +
 controls/stig_ubuntu2404.yml                  |  1 +
 .../banner_etc_issue_net/ansible/shared.yml   |  4 ++--
 .../banner_etc_issue_net/bash/shared.sh       | 21 ++-----------------
 .../banner_etc_issue_net_mingetty.fail.sh     |  4 ++++
 .../tests/banner_etc_issue_net_osid.fail.sh   |  4 ++++
 .../banner_etc_issue_net_recommended.pass.sh  |  5 +++++
 .../remote_login_banner_text.var              | 15 +++++++------
 products/rhel9/controls/ccn_rhel9.yml         |  1 +
 16 files changed, 36 insertions(+), 27 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh

diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
index 821a5e7b3e73..d274c0dde947 100644
--- a/controls/ccn_ol9.yml
+++ b/controls/ccn_ol9.yml
@@ -629,6 +629,7 @@ controls:
           - motd_banner_text=cis_default
           - motd_banner_contents=cis_default
           - remote_login_banner_text=cis_default
+          - remote_login_banner_contents=cis_default
 
     - id: A.11.SEC-OL5
       title: Network Acess to the System is Controlled
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
index 896ecc8c132b..ffb74aa0621b 100644
--- a/controls/cis_al2023.yml
+++ b/controls/cis_al2023.yml
@@ -488,6 +488,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: 1.7.4
       title: Ensure permissions on /etc/motd are configured (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 2e3265d21970..2c7f33e98b97 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -479,6 +479,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: 1.8.1.4
       title: Ensure permissions on /etc/motd are configured (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 03efc7f8a40d..758d8e25f95f 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -477,6 +477,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: 1.8.1.4
       title: Ensure permissions on /etc/motd are configured (Automated)
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
index 9e40d24e3492..e34454eff10a 100644
--- a/controls/general_sle15.yml
+++ b/controls/general_sle15.yml
@@ -490,6 +490,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: SLES-15-151050060
       title: Configure access to the Message of the Day Banner
diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml
index ede217788fc0..ac887def5ee4 100644
--- a/controls/general_slmicro5.yml
+++ b/controls/general_slmicro5.yml
@@ -289,6 +289,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: SLEM-5-SET-08010400
       title: Verify Ownership and Permissions of/on Message of the Day Banner
diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml
index 8125bb9a567d..b08775cbce91 100644
--- a/controls/std_tencentos4.yml
+++ b/controls/std_tencentos4.yml
@@ -134,6 +134,7 @@ controls:
       rules:
           - banner_etc_issue_net
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: 1.4.4
       title: Ensure permissions on /etc/motd are configured
diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index f22733c254ee..6251689f0600 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -551,6 +551,7 @@ controls:
           - medium
       rules:
           - remote_login_banner_text=dod_banners
+          - remote_login_banner_contents=dod_default
           - sshd_enable_warning_banner_net
           - banner_etc_issue_net
       status: automated
diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index cb85dc34866e..a27f10e6eb21 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -441,6 +441,7 @@ controls:
           - medium
       rules:
           - remote_login_banner_text=dod_banners
+          - remote_login_banner_contents=dod_default
           - sshd_enable_warning_banner_net
           - banner_etc_issue_net
       status: automated
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml
index 828a9a9a0c2d..4a880dccde17 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml
@@ -3,9 +3,9 @@
 # strategy = unknown
 # complexity = low
 # disruption = medium
-{{{ ansible_instantiate_variables("remote_login_banner_text") }}}
+{{{ ansible_instantiate_variables("remote_login_banner_contents") }}}
 
 - name: "{{{ rule_title }}} - ensure correct banner"
   ansible.builtin.copy:
     dest: /etc/issue.net
-    content: '{{{ ansible_deregexify_banner_etc_issue("remote_login_banner_text") }}}'
+    content: "{{ remote_login_banner_contents | replace('\\n', '\n') }}\n"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh
index 52eda0b4a9b6..bef6be11259b 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh
@@ -1,21 +1,4 @@
 # platform = multi_platform_all
 
-{{{ bash_instantiate_variables("remote_login_banner_text") }}}
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("remote_login_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("remote_login_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("remote_login_banner_text") }}}
-# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
-{{{ bash_deregexify_banner_newline("remote_login_banner_text", "\\n") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("remote_login_banner_text") }}}
-formatted=$(echo "$remote_login_banner_text" | fold -sw 80)
-
-cat </etc/issue.net
-$formatted
-EOF
+remote_login_banner_contents=$(echo "(bash-populate remote_login_banner_contents)" | sed 's/\\n/\n/g')
+echo "$remote_login_banner_contents" > /etc/issue.net
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh
new file mode 100644
index 000000000000..4730f4332b42
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported.
+
+echo "System name \s version \s " > /etc/issue.net
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh
new file mode 100644
index 000000000000..c579e36e5942
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported.
+
+echo "This system is rhel." > /etc/issue.net
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh
new file mode 100644
index 000000000000..a78e272e8d67
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported.
+
+# cis_default banner
+echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net
diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
index 5f64f4f4af63..283b0d964c7f 100644
--- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
@@ -1,17 +1,20 @@
 documentation_complete: true
 
-title: 'Remote Login Banner Verbiage'
+title: Remote Login Banner Verbiage Regular Expression
 
-description: |-
-    Enter an appropriate login banner for your organization. Please note that new lines must
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+description: >-
+    Enter an appropriate login banner regular expression for your organization.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+    This regular expression is used only in OVAL checks.
+    In remediations the motd_banner_contents variable is used instead.
+    For information about how to generate banner regular expression for your tailoring files,
+    see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
 
 type: string
 
 operator: equals
 
-interactive: false
-
+interactive: true
 
 options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
index bc97d06e8ddc..e7b12492f8fb 100644
--- a/products/rhel9/controls/ccn_rhel9.yml
+++ b/products/rhel9/controls/ccn_rhel9.yml
@@ -643,6 +643,7 @@ controls:
           - login_banner_text=cis_banners
           - login_banner_contents=cis_default
           - remote_login_banner_text=cis_banners
+          - remote_login_banner_contents=cis_default
 
     - id: A.11.SEC-RHEL5
       title: Network Acess to the System is Controlled

From c3f3cced8a9d8217f997272913f9e05d3ca71eac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 12 Feb 2026 10:29:43 +0100
Subject: [PATCH 172/265] Use dconf_login_banner_contents variable in rule
 dconf_gnome_login_banner_text

Use dconf_login_banner_contents variable in remediations in rule
dconf_gnome_login_banner_text.
---
 controls/ccn_ol9.yml                          |  1 +
 controls/cis_almalinux9.yml                   |  1 +
 controls/cis_debian12.yml                     |  1 +
 controls/cis_fedora.yml                       |  1 +
 controls/cis_sle12.yml                        |  1 +
 controls/cis_sle15.yml                        |  1 +
 controls/cis_ubuntu2204.yml                   |  1 +
 controls/cis_ubuntu2404.yml                   |  1 +
 controls/general_sle15.yml                    |  1 +
 controls/stig_ol9.yml                         |  1 +
 controls/stig_ubuntu2204.yml                  |  1 +
 controls/stig_ubuntu2404.yml                  |  1 +
 .../ansible/shared.yml                        |  4 +--
 .../bash/shared.sh                            | 21 ++----------
 .../bash/ubuntu.sh                            | 23 ++-----------
 .../tests/correct_value_stig.pass.sh          | 34 +++++++++++++++++--
 .../tests/correct_value_stig_wrong_db.fail.sh | 34 +++++++++++++++++--
 .../tests/missing_value_stig.fail.sh          |  4 +--
 .../tests/wrapped_banner.fail.sh              |  4 +--
 .../tests/wrong_value.fail.sh                 |  4 +--
 .../tests/wrong_value_stig.fail.sh            |  4 +--
 products/fedora/profiles/ospp.profile         |  1 +
 products/ol7/profiles/ncp.profile             |  1 +
 products/ol7/profiles/stig.profile            |  1 +
 products/ol8/profiles/stig.profile            |  1 +
 products/rhel10/controls/cis_rhel10.yml       |  2 +-
 products/rhel8/controls/cis_rhel8.yml         |  2 +-
 products/rhel8/controls/stig_rhel8.yml        |  1 +
 products/rhel9/controls/ccn_rhel9.yml         |  1 +
 products/rhel9/controls/cis_rhel9.yml         |  1 +
 products/rhel9/controls/stig_rhel9.yml        |  1 +
 products/sle12/profiles/stig.profile          |  1 +
 products/sle15/profiles/stig.profile          |  1 +
 33 files changed, 101 insertions(+), 57 deletions(-)

diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
index d274c0dde947..e7cbe628f541 100644
--- a/controls/ccn_ol9.yml
+++ b/controls/ccn_ol9.yml
@@ -623,6 +623,7 @@ controls:
           - banner_etc_motd
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_contents=cis_default
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_default
           - login_banner_contents=cis_default
diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml
index 29fa4bd9b124..4a91ea6f6d9f 100644
--- a/controls/cis_almalinux9.yml
+++ b/controls/cis_almalinux9.yml
@@ -692,6 +692,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
+          - dconf_login_banner_contents=cis_default
 
     - id: 1.8.3
       title: Ensure GDM disable-user-list option is enabled (Automated)
diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml
index 8e0208f77309..5885306303f2 100644
--- a/controls/cis_debian12.yml
+++ b/controls/cis_debian12.yml
@@ -541,6 +541,7 @@ controls:
           - l1_workstation
       rules:
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
       status: automated
diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
index 3f76e1c78eb6..0d843c36fd44 100644
--- a/controls/cis_fedora.yml
+++ b/controls/cis_fedora.yml
@@ -711,6 +711,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
+          - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
       title: Ensure GDM disable-user-list is configured (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 2c7f33e98b97..38be815e97a2 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -539,6 +539,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
 
     - id: 2.1.1
       title: Ensure xinetd is not installed (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 758d8e25f95f..4d7c269cc099 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -536,6 +536,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
 
     - id: 2.1.1
       title: Ensure xinetd is not installed (Automated)
diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml
index 84f3287f32ee..e0cfbb361f0c 100644
--- a/controls/cis_ubuntu2204.yml
+++ b/controls/cis_ubuntu2204.yml
@@ -529,6 +529,7 @@ controls:
           - l1_workstation
       rules:
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
       status: automated
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 58c756c81c9d..9c18ee8621ce 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -562,6 +562,7 @@ controls:
           - l1_workstation
       rules:
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
       status: automated
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
index e34454eff10a..1acede4d2700 100644
--- a/controls/general_sle15.yml
+++ b/controls/general_sle15.yml
@@ -539,6 +539,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
 
     - id: SLES-15-151200135
       title: Disable the GDM Login User List
diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
index 256159f7520f..ca87ad32731c 100644
--- a/controls/stig_ol9.yml
+++ b/controls/stig_ol9.yml
@@ -1974,6 +1974,7 @@ controls:
       rules:
           - dconf_gnome_login_banner_text
           - login_banner_text=dod_default
+          - dconf_login_banner_contents=cis_default
 
     - id: OL09-00-002122
       levels:
diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index 6251689f0600..851d2f664d0c 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -655,6 +655,7 @@ controls:
           - medium
       rules:
           - login_banner_text=dod_banners
+          - dconf_login_banner_contents=dod_default
           - dconf_gnome_login_banner_text
       status: automated
 
diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index a27f10e6eb21..28abfae075c7 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -463,6 +463,7 @@ controls:
           - medium
       rules:
           - login_banner_text=dod_banners
+          - dconf_login_banner_contents=dod_default
           - dconf_gnome_login_banner_text
       status: automated
 
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
index 33d95980ded9..38bd849f78c4 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
@@ -3,7 +3,7 @@
 # strategy = unknown
 # complexity = low
 # disruption = medium
-{{{ ansible_instantiate_variables("login_banner_text") }}}
+{{{ ansible_instantiate_variables("dconf_login_banner_contents") }}}
 
 - name: "{{{ rule_title }}}"
   ansible.builtin.file:
@@ -32,7 +32,7 @@
     dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings
     section: org/gnome/login-screen
     option: banner-message-text
-    value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}'
+    value: '''{{ dconf_login_banner_contents }}'''
     create: yes
     no_extra_spaces: yes
   register: result_ini
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 930d5fe18189..c686cbe1dbf3 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -1,22 +1,5 @@
 # platform = multi_platform_all
 
-login_banner_text='(bash-populate login_banner_text)'
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("login_banner_text") }}}
-# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
-{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
-# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
-#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
-{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
-
-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}}
+dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" )
+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}}
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", dconf_gdm_dir, "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh
index 57e577df79b9..4d38311e4e43 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh
@@ -1,28 +1,11 @@
 # platform = multi_platform_ubuntu
 
-{{{ bash_instantiate_variables("login_banner_text") }}}
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("login_banner_text") }}}
-# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
-{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
-# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
-#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
-{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
-
 {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}}
 {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}}
 
+dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" )
 # Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool
 # will pass the check even if we decide to check only for the dconf db path.
-{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${login_banner_text}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}}
-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}}
+{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${dconf_login_banner_contents}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}}
 # No need to use dconf update, since bash_dconf_settings does that already
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
index 6ff96441acd3..c2caa11732c3 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
@@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+login_banner_contents=$(cat <<'EOF'
+You are accessing a U.S. Government (USG) Information System (IS) that is
+provided for USG-authorized use only. By using this IS (which includes any
+device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
+network operations and defense, personnel misconduct (PM), law enforcement
+(LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject
+to routine monitoring, interception, and search, and may be disclosed or used
+for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls)
+to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
+or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services
+by attorneys, psychotherapists, or clergy, and their assistants. Such
+communications and work product are private and confidential. See User
+Agreement for details.
+EOF
+)
+
+# replace two subsequent newlines with a \n\n and single newlines with a space
+login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g')
 
 clean_dconf_settings
-add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings"
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "{{{ dconf_gdm_dir }}}" "00-security-settings"
 add_dconf_lock "org/gnome/login-screen" "banner-message-text" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock"
 
 dconf update
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
index 9969fcc6f0d2..c8077d767d35 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
@@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+login_banner_contents=$(cat <<'EOF'
+You are accessing a U.S. Government (USG) Information System (IS) that is
+provided for USG-authorized use only. By using this IS (which includes any
+device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
+network operations and defense, personnel misconduct (PM), law enforcement
+(LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject
+to routine monitoring, interception, and search, and may be disclosed or used
+for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls)
+to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
+or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services
+by attorneys, psychotherapists, or clergy, and their assistants. Such
+communications and work product are private and confidential. See User
+Agreement for details.
+EOF
+)
+
+# replace two subsequent newlines with a \n\n and single newlines with a space
+login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g')
 
 clean_dconf_settings
-add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "dummy.d" "00-security-settings"
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "dummy.d" "00-security-settings"
 add_dconf_lock "org/gnome/login-screen" "banner-message-text" "dummy.d" "00-security-settings-lock"
 
 dconf update
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
index c316d7c8f74b..56eb33cd1061 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
@@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-# login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
-# expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+# login_banner_contents="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
+# expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings"
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
index 38b8ee45b0a8..87167c0f5d13 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
@@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
+expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings"
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
index 6a3b00b8cafa..577d3a876327 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
@@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-login_banner_text="Wrong Banner Text"
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+login_banner_contents="Wrong Banner Text"
+expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings"
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
index 7c7d4c073e3d..1c04437538a8 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
@@ -3,8 +3,8 @@
 # profiles = xccdf_org.ssgproject.content_profile_stig
 # packages = dconf,gdm
 
-login_banner_text="Wrong Banner Text"
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+login_banner_contents="Wrong Banner Text"
+expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
 
 {{% if 'ubuntu' not in product %}}
 source $SHARED/dconf_test_functions.sh
diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
index 4abcc1aee72e..ff3439776a9f 100644
--- a/products/fedora/profiles/ospp.profile
+++ b/products/fedora/profiles/ospp.profile
@@ -109,6 +109,7 @@ selections:
     - sshd_rekey_limit
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_contents=usgcb_default
     - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
     - audit_rules_login_events_tallylog
diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile
index 29a30bf9aebd..e406ea135f70 100644
--- a/products/ol7/profiles/ncp.profile
+++ b/products/ol7/profiles/ncp.profile
@@ -324,6 +324,7 @@ selections:
     - dconf_gnome_disable_wifi_notification
     - dconf_gnome_enable_smartcard_auth
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_contents=usgcb_default
     - dconf_gnome_login_retries
     - dconf_gnome_remote_access_credential_prompt
     - dconf_gnome_remote_access_encryption
diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile
index 39772872a2cc..5cbc5b525139 100644
--- a/products/ol7/profiles/stig.profile
+++ b/products/ol7/profiles/stig.profile
@@ -55,6 +55,7 @@ selections:
     - dconf_db_up_to_date
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_contents=dod_default
     - banner_etc_issue
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_lock_locked
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index 2b70b14f26a5..7c3da3f6dc74 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -62,6 +62,7 @@ selections:
     - var_sssd_certificate_verification_digest_function=sha1
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_contents=dod_default
     - var_authselect_profile=sssd
     - var_multiple_time_servers=stig
 
diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 59517fa5921f..db17e6686fdc 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -707,7 +707,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
-          - login_banner_contents=cis_default
+          - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
       title: Ensure GDM disable-user-list is configured (Automated)
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index 56fadc235366..d80ea036960e 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -741,7 +741,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
-          - login_banner_contents=cis_default
+          - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
       title: Ensure GDM disable-user-list is configured (Automated)
diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml
index b8948e8d925c..05c2c0b4efe2 100644
--- a/products/rhel8/controls/stig_rhel8.yml
+++ b/products/rhel8/controls/stig_rhel8.yml
@@ -68,6 +68,7 @@ controls:
           - var_sssd_certificate_verification_digest_function=sha1
           - login_banner_text=dod_banners
           - login_banner_contents=dod_default
+          - dconf_login_banner_contents=dod_default
           - var_authselect_profile=sssd
           - var_multiple_time_servers=stig
           - var_time_service_set_maxpoll=18_hours
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
index e7b12492f8fb..e70cf04c787f 100644
--- a/products/rhel9/controls/ccn_rhel9.yml
+++ b/products/rhel9/controls/ccn_rhel9.yml
@@ -639,6 +639,7 @@ controls:
           - motd_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_contents=cis_default
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_banners
           - login_banner_contents=cis_default
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index f73fbd1f6d79..1878a8587286 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -691,6 +691,7 @@ controls:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - login_banner_text=cis_banners
+          - login_banner_contents=cis_default
 
     - id: 1.8.3
       title: Ensure GDM disable-user-list option is enabled (Automated)
diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml
index a4c2007a6cff..bdbdc60ca911 100644
--- a/products/rhel9/controls/stig_rhel9.yml
+++ b/products/rhel9/controls/stig_rhel9.yml
@@ -25,6 +25,7 @@ controls:
           - medium
       rules:
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_contents=dod_default
     - id: RHEL-09-211010
       levels:
           - high
diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile
index e3889a4e3f6b..ae7d6d6ddbd3 100644
--- a/products/sle12/profiles/stig.profile
+++ b/products/sle12/profiles/stig.profile
@@ -33,6 +33,7 @@ selections:
     - var_accounts_maximum_age_login_defs=60
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled
diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile
index 302e60006999..b5e8a254ca99 100644
--- a/products/sle15/profiles/stig.profile
+++ b/products/sle15/profiles/stig.profile
@@ -32,6 +32,7 @@ selections:
     - var_password_pam_delay=4000000
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled

From 80432ffb5becceeae1938e9e5e8db0a721c19012 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 12 Feb 2026 10:45:09 +0100
Subject: [PATCH 173/265] Update profile stability test

---
 tests/data/profile_stability/rhel10/cis.profile              | 1 +
 tests/data/profile_stability/rhel10/cis_server_l1.profile    | 1 +
 .../data/profile_stability/rhel10/cis_workstation_l1.profile | 1 +
 .../data/profile_stability/rhel10/cis_workstation_l2.profile | 1 +
 tests/data/profile_stability/rhel10/stig.profile             | 1 +
 tests/data/profile_stability/rhel10/stig_gui.profile         | 1 +
 tests/data/profile_stability/rhel8/cis.profile               | 1 +
 tests/data/profile_stability/rhel8/cis_server_l1.profile     | 1 +
 .../data/profile_stability/rhel8/cis_workstation_l1.profile  | 1 +
 .../data/profile_stability/rhel8/cis_workstation_l2.profile  | 1 +
 tests/data/profile_stability/rhel8/rht-ccp.profile           | 1 +
 tests/data/profile_stability/rhel8/stig.profile              | 2 ++
 tests/data/profile_stability/rhel8/stig_gui.profile          | 2 ++
 tests/data/profile_stability/rhel9/ccn_advanced.profile      | 5 +++++
 tests/data/profile_stability/rhel9/ccn_basic.profile         | 5 +++++
 tests/data/profile_stability/rhel9/ccn_intermediate.profile  | 5 +++++
 tests/data/profile_stability/rhel9/cis.profile               | 1 +
 tests/data/profile_stability/rhel9/cis_server_l1.profile     | 1 +
 .../data/profile_stability/rhel9/cis_workstation_l1.profile  | 1 +
 .../data/profile_stability/rhel9/cis_workstation_l2.profile  | 1 +
 tests/data/profile_stability/rhel9/stig.profile              | 2 ++
 tests/data/profile_stability/rhel9/stig_gui.profile          | 2 ++
 22 files changed, 38 insertions(+)

diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index acb21b876b66..99a6bcc79e3a 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -140,6 +140,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 1a8d4a413244..2571f6cef0c6 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -63,6 +63,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 63186a34c258..4b40bbb2cfbe 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -61,6 +61,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 221ffac17557..a51f507c86aa 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -140,6 +140,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile
index d9709ad69bbf..dd157f79d28e 100644
--- a/tests/data/profile_stability/rhel10/stig.profile
+++ b/tests/data/profile_stability/rhel10/stig.profile
@@ -318,6 +318,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 libreswan_approved_tunnels
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 logind_session_timeout
 mount_option_boot_nodev
diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile
index e5632d66dad0..22c29b3b1a40 100644
--- a/tests/data/profile_stability/rhel10/stig_gui.profile
+++ b/tests/data/profile_stability/rhel10/stig_gui.profile
@@ -318,6 +318,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 libreswan_approved_tunnels
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 mount_option_boot_nodev
 mount_option_boot_nosuid
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 40ef7718866d..1a486017ff77 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -130,6 +130,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index c186914d253b..3adcc4a679d7 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -63,6 +63,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 disable_users_coredumps
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index f53d2e0dd714..ab02f8230153 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -61,6 +61,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 disable_users_coredumps
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index f43c7d9ea9b5..6a1bd6cd5eed 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -130,6 +130,7 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
diff --git a/tests/data/profile_stability/rhel8/rht-ccp.profile b/tests/data/profile_stability/rhel8/rht-ccp.profile
index 6d06160f5770..4faa19a2b5ec 100644
--- a/tests/data/profile_stability/rhel8/rht-ccp.profile
+++ b/tests/data/profile_stability/rhel8/rht-ccp.profile
@@ -41,6 +41,7 @@ firewalld_sshd_port_enabled
 grub2_password
 kernel_module_dccp_disabled
 kernel_module_sctp_disabled
+login_banner_contents=usgcb_default
 login_banner_text=usgcb_default
 no_empty_passwords
 no_shelllogin_for_systemaccounts
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a07eb83d2943..a0355b22cead 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -154,6 +154,7 @@ dconf_gnome_screensaver_lock_enabled
 dconf_gnome_screensaver_lock_locked
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=dod_default
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
@@ -225,6 +226,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 kernel_module_uvcvideo_disabled
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 logind_session_timeout
 mount_option_boot_efi_nosuid
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 52f48890ab39..f4740e88e209 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -154,6 +154,7 @@ dconf_gnome_screensaver_lock_enabled
 dconf_gnome_screensaver_lock_locked
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=dod_default
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
@@ -225,6 +226,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 kernel_module_uvcvideo_disabled
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 mount_option_boot_efi_nosuid
 mount_option_boot_nosuid
diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile
index 00b9660909b3..2438f8526fb3 100644
--- a/tests/data/profile_stability/rhel9/ccn_advanced.profile
+++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile
@@ -66,6 +66,7 @@ dconf_gnome_disable_user_list
 dconf_gnome_login_banner_text
 dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
+dconf_login_banner_contents=cis_default
 directory_permissions_var_log_audit
 enable_authselect
 encrypt_partitions
@@ -90,7 +91,10 @@ inactivity_timeout_value=5_minutes
 kernel_module_squashfs_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
+motd_banner_contents=cis_default
+motd_banner_text=cis_banners
 mount_option_boot_efi_nosuid
 mount_option_boot_nodev
 mount_option_boot_noexec
@@ -111,6 +115,7 @@ package_telnet-server_removed
 package_tftp-server_removed
 package_usbguard_installed
 package_vsftpd_removed
+remote_login_banner_contents=cis_default
 remote_login_banner_text=cis_banners
 selinux_policytype
 selinux_state
diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile
index 00b96ffc1172..8b798198a18d 100644
--- a/tests/data/profile_stability/rhel9/ccn_basic.profile
+++ b/tests/data/profile_stability/rhel9/ccn_basic.profile
@@ -46,6 +46,7 @@ configure_crypto_policy
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_login_banner_text
+dconf_login_banner_contents=cis_default
 enable_authselect
 file_groupowner_grub2_cfg
 file_groupowner_user_cfg
@@ -56,13 +57,17 @@ file_permissions_user_cfg
 firewalld_loopback_traffic_restricted
 firewalld_loopback_traffic_trusted
 grub2_password
+login_banner_contents=cis_default
 login_banner_text=cis_banners
+motd_banner_contents=cis_default
+motd_banner_text=cis_banners
 mount_option_boot_efi_nosuid
 mount_option_boot_nodev
 mount_option_boot_noexec
 mount_option_boot_nosuid
 package_firewalld_installed
 package_usbguard_installed
+remote_login_banner_contents=cis_default
 remote_login_banner_text=cis_banners
 service_firewalld_enabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile
index 80b4ea6efe36..a807fc079047 100644
--- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile
+++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile
@@ -55,6 +55,7 @@ dconf_gnome_disable_user_list
 dconf_gnome_login_banner_text
 dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
+dconf_login_banner_contents=cis_default
 directory_permissions_var_log_audit
 enable_authselect
 ensure_root_password_configured
@@ -78,7 +79,10 @@ inactivity_timeout_value=5_minutes
 kernel_module_squashfs_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
+motd_banner_contents=cis_default
+motd_banner_text=cis_banners
 mount_option_boot_efi_nosuid
 mount_option_boot_nodev
 mount_option_boot_noexec
@@ -98,6 +102,7 @@ package_telnet-server_removed
 package_tftp-server_removed
 package_usbguard_installed
 package_vsftpd_removed
+remote_login_banner_contents=cis_default
 remote_login_banner_text=cis_banners
 selinux_policytype
 selinux_state
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 65f2ddc07f7e..80d8bf1fe71d 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -254,6 +254,7 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index ac83e2c0a321..b0fe97a998ef 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -165,6 +165,7 @@ kernel_module_hfs_disabled
 kernel_module_hfsplus_disabled
 kernel_module_jffs2_disabled
 kernel_module_usb-storage_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index fb685c741479..79ff5989d0a0 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -162,6 +162,7 @@ kernel_module_freevxfs_disabled
 kernel_module_hfs_disabled
 kernel_module_hfsplus_disabled
 kernel_module_jffs2_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index 3fc4bebf0c4a..3db1a26a5d2f 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -254,6 +254,7 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
+login_banner_contents=cis_default
 login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
index 17ec849e8914..99cd9fc08002 100644
--- a/tests/data/profile_stability/rhel9/stig.profile
+++ b/tests/data/profile_stability/rhel9/stig.profile
@@ -170,6 +170,7 @@ dconf_gnome_screensaver_lock_enabled
 dconf_gnome_screensaver_mode_blank
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=dod_default
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
@@ -304,6 +305,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 libreswan_approved_tunnels
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 logind_session_timeout
 mount_option_boot_efi_nosuid
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
index 35aef8879876..10ebb282a93e 100644
--- a/tests/data/profile_stability/rhel9/stig_gui.profile
+++ b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -170,6 +170,7 @@ dconf_gnome_screensaver_lock_enabled
 dconf_gnome_screensaver_mode_blank
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=dod_default
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
@@ -304,6 +305,7 @@ kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
 libreswan_approved_tunnels
+login_banner_contents=dod_default
 login_banner_text=dod_banners
 mount_option_boot_efi_nosuid
 mount_option_boot_nodev

From 74c3dc69cf529ef4ee120b54bbc41b6faccb9be8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 12 Feb 2026 11:06:21 +0100
Subject: [PATCH 174/265] Fix yamllint problems - trailing spaces

---
 products/sle15/profiles/pcs-hardening.profile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile
index 31bccccc320d..0bfc746d362c 100644
--- a/products/sle15/profiles/pcs-hardening.profile
+++ b/products/sle15/profiles/pcs-hardening.profile
@@ -5,7 +5,7 @@ metadata:
     SMEs:
         - esampson
 
-reference: 
+reference:
 
 title: 'Public Cloud Hardening for SUSE Linux Enterprise 15'
 
@@ -413,7 +413,7 @@ selections:
     #- package_net-snmp_removed
     #- package_telnet_removed
     #- package_telnet-server_removed
-    #### OTHER 
+    #### OTHER
     #### can't do at image build time
     #- accounts_authorized_local_users
     #- accounts_max_concurrent_login_sessions

From 4e31c114cd2daf9ba7701da9e814b81cec2fab96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Mon, 16 Feb 2026 09:31:36 +0100
Subject: [PATCH 175/265] Fixed wrong value

Change cis_default to dod_default for dconf_login_banner_contents because
this is a STIG control, not CIS.
---
 controls/stig_ol9.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
index ca87ad32731c..3174c8d1a62b 100644
--- a/controls/stig_ol9.yml
+++ b/controls/stig_ol9.yml
@@ -1974,7 +1974,7 @@ controls:
       rules:
           - dconf_gnome_login_banner_text
           - login_banner_text=dod_default
-          - dconf_login_banner_contents=cis_default
+          - dconf_login_banner_contents=dod_default
 
     - id: OL09-00-002122
       levels:

From 73b5466b2b1c604e072a8784245748805141fda2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Mon, 16 Feb 2026 09:32:47 +0100
Subject: [PATCH 176/265] Use multi_platform_all in Ansible remediation

---
 .../accounts-banners/banner_etc_issue/ansible/shared.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index a43e1b6a25c9..4136c8e028dc 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux
+# platform = multi_platform_all
 # reboot = false
 # strategy = unknown
 # complexity = low

From f579995ea243335f22fd8deeca2aef6650d80944 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Mon, 16 Feb 2026 09:33:25 +0100
Subject: [PATCH 177/265] Fix typos

---
 .../tests/banner_etc_issue_cis_recommended.pass.sh        | 2 +-
 .../accounts-banners/remote_login_banner_contents.var     | 2 +-
 .../accounts-banners/remote_login_banner_text.var         | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh
index bc0f5a7a0872..ce541f31864c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh
@@ -2,4 +2,4 @@
 # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
 
 # cis_default banner
-echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
+echo "Authorized users only. All activity may be monitored and reported." > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var
index c3d740df9c6f..d2b77661b666 100644
--- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var
+++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var
@@ -5,7 +5,7 @@ title: 'Remote Login Banner Verbiage'
 description: >-
     Enter an appropriate login banner text for your organization.
     This variable is used only in remediations.
-    In OVAL checks a regular expression specified in the login_banner_text variable is used instead.
+    In OVAL checks a regular expression specified in the remote_login_banner_text variable is used instead.
     Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
 
 type: string
diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
index 283b0d964c7f..a4e24de44962 100644
--- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var
@@ -6,7 +6,7 @@ description: >-
     Enter an appropriate login banner regular expression for your organization.
     Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
     This regular expression is used only in OVAL checks.
-    In remediations the motd_banner_contents variable is used instead.
+    In remediations the remote_login_banner_contents variable is used instead.
     For information about how to generate banner regular expression for your tailoring files,
     see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
 
@@ -20,12 +20,12 @@ options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
 # There is a generic content in case a remediation is necessary.
 # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
-    cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
-    cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+    cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+    cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters
     dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
     dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$
     dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
     dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$
     usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$
-    default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+    default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$

From 8a2c6baf9333d88c973ce2d38623f4180749bde8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Mon, 16 Feb 2026 09:33:45 +0100
Subject: [PATCH 178/265] Rename variable

Renamed local variable from login_banner_contents to
dconf_login_banner_contents since this test is for a dconf rule
---
 .../tests/wrapped_banner.fail.sh                              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
index 87167c0f5d13..28b573bc3a9a 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
@@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh
 
 install_dconf_and_gdm_if_needed
 
-login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
-expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+dconf_login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
+expanded=$(echo "$dconf_login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings"

From e8a2d756adfaa9191542692481447d9caac45140 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Tue, 24 Feb 2026 09:51:47 +0100
Subject: [PATCH 179/265] Fix variable selections in SAP profile

There was a duplicate selection for the login_banner_text variable.
The _contents variables were missing.
---
 products/sle15/profiles/pcs-hardening-sap.profile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile
index 63231a2b3b34..207b0dfa6543 100644
--- a/products/sle15/profiles/pcs-hardening-sap.profile
+++ b/products/sle15/profiles/pcs-hardening-sap.profile
@@ -24,8 +24,9 @@ selections:
     - var_apparmor_mode=complain
     - motd_banner_text=cis_banners
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
     - remote_login_banner_text=cis_banners
-    - login_banner_text=cis_default
+    - remote_login_banner_contents=cis_default
     - var_multiple_time_servers=suse
     - var_multiple_time_pools=suse
     - var_postfix_inet_interfaces=loopback-only

From 9fcb22d36f57c904d99580ea7d036787d8814446 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Tue, 24 Feb 2026 11:17:14 +0100
Subject: [PATCH 180/265] Separate variable in rule
 dconf_gnome_login_banner_text

The rule `dconf_gnome_login_banner_text` shared variable
`login_banner_text` with other rules. Some CIS profiles recommend a
different text for Dconf login banner than for other banners.  Therefore
we will create a special variable for this rule and we will use it
instead of the variable `login_banner_text`.  The new variable name is
`dconf_login_banner_text` and it was created by copying the variable
`login_banner_text`.
---
 controls/ccn_ol9.yml                          |  1 +
 controls/cis_almalinux9.yml                   |  2 +-
 controls/cis_debian12.yml                     |  2 +-
 controls/cis_fedora.yml                       |  2 +-
 controls/cis_sle12.yml                        |  2 +-
 controls/cis_sle15.yml                        |  2 +-
 controls/cis_ubuntu2204.yml                   |  2 +-
 controls/stig_ubuntu2404.yml                  |  2 +-
 .../dconf_login_banner_text.var               | 31 +++++++++++++++++++
 .../oval/shared.xml                           |  4 +--
 .../oval/ubuntu.xml                           |  4 +--
 .../tests/ubuntu_correct_value.pass.sh        |  2 +-
 .../ubuntu_correct_value_defaults.pass.sh     |  2 +-
 .../tests/ubuntu_wrong_value.fail.sh          |  2 +-
 .../tests/ubuntu_wrong_value_defaults.fail.sh |  2 +-
 products/fedora/profiles/ospp.profile         |  1 +
 products/ol7/profiles/ncp.profile             |  1 +
 products/ol7/profiles/stig.profile            |  1 +
 products/ol8/profiles/stig.profile            |  1 +
 products/rhel10/controls/cis_rhel10.yml       |  2 +-
 products/rhel8/controls/cis_rhel8.yml         |  2 +-
 products/rhel8/controls/stig_rhel8.yml        |  1 +
 products/rhel9/controls/ccn_rhel9.yml         |  1 +
 products/rhel9/controls/stig_rhel9.yml        |  1 +
 products/sle12/profiles/stig.profile          |  1 +
 products/sle15/profiles/stig.profile          |  1 +
 .../data/profile_stability/rhel10/cis.profile |  2 +-
 .../rhel10/cis_server_l1.profile              |  2 +-
 .../rhel10/cis_workstation_l1.profile         |  2 +-
 .../rhel10/cis_workstation_l2.profile         |  2 +-
 .../data/profile_stability/rhel8/cis.profile  |  2 +-
 .../rhel8/cis_server_l1.profile               |  2 +-
 .../rhel8/cis_workstation_l1.profile          |  2 +-
 .../rhel8/cis_workstation_l2.profile          |  2 +-
 .../data/profile_stability/rhel8/stig.profile |  1 +
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
 .../rhel9/ccn_advanced.profile                |  1 +
 .../profile_stability/rhel9/ccn_basic.profile |  1 +
 .../rhel9/ccn_intermediate.profile            |  1 +
 .../data/profile_stability/rhel9/stig.profile |  1 +
 .../profile_stability/rhel9/stig_gui.profile  |  1 +
 41 files changed, 73 insertions(+), 25 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var

diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
index e7cbe628f541..c065f65c5eb2 100644
--- a/controls/ccn_ol9.yml
+++ b/controls/ccn_ol9.yml
@@ -623,6 +623,7 @@ controls:
           - banner_etc_motd
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_default
diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml
index 4a91ea6f6d9f..6d7189ce2877 100644
--- a/controls/cis_almalinux9.yml
+++ b/controls/cis_almalinux9.yml
@@ -691,7 +691,7 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_banners
+          - dconf_login_banner_text=cis_banners
           - dconf_login_banner_contents=cis_default
 
     - id: 1.8.3
diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml
index 5885306303f2..6ffb09b7dda3 100644
--- a/controls/cis_debian12.yml
+++ b/controls/cis_debian12.yml
@@ -540,7 +540,7 @@ controls:
           - l1_server
           - l1_workstation
       rules:
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
index 0d843c36fd44..8821c83a893d 100644
--- a/controls/cis_fedora.yml
+++ b/controls/cis_fedora.yml
@@ -710,7 +710,7 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_banners
+          - dconf_login_banner_text=cis_banners
           - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 38be815e97a2..3e4d682ce3e6 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -538,7 +538,7 @@ controls:
           - dconf_gnome_disable_user_list
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
 
     - id: 2.1.1
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 4d7c269cc099..bf92b28d52f3 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -535,7 +535,7 @@ controls:
           - enable_dconf_user_profile
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
 
     - id: 2.1.1
diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml
index e0cfbb361f0c..997016fd1e97 100644
--- a/controls/cis_ubuntu2204.yml
+++ b/controls/cis_ubuntu2204.yml
@@ -528,7 +528,7 @@ controls:
           - l1_server
           - l1_workstation
       rules:
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index 28abfae075c7..47c7e37b5d3c 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -462,7 +462,7 @@ controls:
       levels:
           - medium
       rules:
-          - login_banner_text=dod_banners
+          - dconf_login_banner_text=dod_banners
           - dconf_login_banner_contents=dod_default
           - dconf_gnome_login_banner_text
       status: automated
diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var
new file mode 100644
index 000000000000..6a44de843411
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: Login Banner Verbiage Regular Expression
+
+description: >-
+    Enter an appropriate login banner regular expression for your organization.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+    This regular expression is used only in OVAL checks.
+    In remediations the login_banner_contents variable is used instead.
+    For information about how to generate banner regular expression for your tailoring files,
+    see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
+# There is a generic content in case a remediation is necessary.
+# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
+    cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+    cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters
+    dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
+    dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$
+    dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
+    dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$
+    usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$
+    default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
index 0a6b6a9c829f..4b957be47881 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
@@ -39,9 +39,9 @@
   
 
   
-    
+    
   
 
-  
+  
 
 
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml
index 3baac57772f3..208572acae53 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml
@@ -37,9 +37,9 @@
 
 
   
-    
+    
   
 
-  
+  
 
 
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh
index 9b0d6ebb73f3..8d3f075bdb73 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=Authorized users only. All activity may be monitored and reported.
+# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported.
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh
index 2ffb8ec5fb19..380397ebba55 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=Authorized users only. All activity may be monitored and reported.
+# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported.
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh
index cf9bb8d31b34..e013ae2dd447 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=default
+# variables = dconf_login_banner_text=default
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh
index 07e8cacfd78a..51ac9ff10ab7 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=default
+# variables = dconf_login_banner_text=default
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
index ff3439776a9f..ea79c4506a7e 100644
--- a/products/fedora/profiles/ospp.profile
+++ b/products/fedora/profiles/ospp.profile
@@ -109,6 +109,7 @@ selections:
     - sshd_rekey_limit
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_text=usgcb_default
     - dconf_login_banner_contents=usgcb_default
     - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile
index e406ea135f70..426901de8641 100644
--- a/products/ol7/profiles/ncp.profile
+++ b/products/ol7/profiles/ncp.profile
@@ -324,6 +324,7 @@ selections:
     - dconf_gnome_disable_wifi_notification
     - dconf_gnome_enable_smartcard_auth
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_text=usgcb_default
     - dconf_login_banner_contents=usgcb_default
     - dconf_gnome_login_retries
     - dconf_gnome_remote_access_credential_prompt
diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile
index 5cbc5b525139..27085939d81a 100644
--- a/products/ol7/profiles/stig.profile
+++ b/products/ol7/profiles/stig.profile
@@ -55,6 +55,7 @@ selections:
     - dconf_db_up_to_date
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
+    - dconf_login_banner_text=dod_default
     - dconf_login_banner_contents=dod_default
     - banner_etc_issue
     - dconf_gnome_screensaver_lock_enabled
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index 7c3da3f6dc74..622bfa8a1e6b 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -62,6 +62,7 @@ selections:
     - var_sssd_certificate_verification_digest_function=sha1
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_text=dod_banners
     - dconf_login_banner_contents=dod_default
     - var_authselect_profile=sssd
     - var_multiple_time_servers=stig
diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index db17e6686fdc..7f699bed4f29 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -706,7 +706,7 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_banners
+          - dconf_login_banner_text=cis_banners
           - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index d80ea036960e..68f020aa956b 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -740,7 +740,7 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_banners
+          - dconf_login_banner_text=cis_banners
           - dconf_login_banner_contents=cis_default
 
     - id: 1.8.2
diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml
index 05c2c0b4efe2..4c2de6146d37 100644
--- a/products/rhel8/controls/stig_rhel8.yml
+++ b/products/rhel8/controls/stig_rhel8.yml
@@ -68,6 +68,7 @@ controls:
           - var_sssd_certificate_verification_digest_function=sha1
           - login_banner_text=dod_banners
           - login_banner_contents=dod_default
+          - dconf_login_banner_text=dod_banners
           - dconf_login_banner_contents=dod_default
           - var_authselect_profile=sssd
           - var_multiple_time_servers=stig
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
index e70cf04c787f..84a168b77395 100644
--- a/products/rhel9/controls/ccn_rhel9.yml
+++ b/products/rhel9/controls/ccn_rhel9.yml
@@ -639,6 +639,7 @@ controls:
           - motd_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_text=cis_banners
           - dconf_login_banner_contents=cis_default
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_banners
diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml
index bdbdc60ca911..554496291306 100644
--- a/products/rhel9/controls/stig_rhel9.yml
+++ b/products/rhel9/controls/stig_rhel9.yml
@@ -25,6 +25,7 @@ controls:
           - medium
       rules:
           - dconf_gnome_login_banner_text
+          - dconf_login_banner_text=dod_banners
           - dconf_login_banner_contents=dod_default
     - id: RHEL-09-211010
       levels:
diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile
index ae7d6d6ddbd3..54f62c322a2f 100644
--- a/products/sle12/profiles/stig.profile
+++ b/products/sle12/profiles/stig.profile
@@ -33,6 +33,7 @@ selections:
     - var_accounts_maximum_age_login_defs=60
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_text=dod_banners
     - dconf_login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile
index b5e8a254ca99..37233d8004c5 100644
--- a/products/sle15/profiles/stig.profile
+++ b/products/sle15/profiles/stig.profile
@@ -32,6 +32,7 @@ selections:
     - var_password_pam_delay=4000000
     - login_banner_text=dod_banners
     - login_banner_contents=dod_default
+    - dconf_login_banner_text=dod_banners
     - dconf_login_banner_contents=dod_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index 99a6bcc79e3a..703560adda42 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -141,6 +141,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
@@ -286,7 +287,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 2571f6cef0c6..c8adbcf11520 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -64,6 +64,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
@@ -193,7 +194,6 @@ kernel_module_rds_disabled
 kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 4b40bbb2cfbe..5feb1df7b612 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -62,6 +62,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
@@ -189,7 +190,6 @@ kernel_module_jffs2_disabled
 kernel_module_rds_disabled
 kernel_module_sctp_disabled
 kernel_module_tipc_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index a51f507c86aa..43ecd6581e9d 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -141,6 +141,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_groupowner_sshd_config_d
 directory_owner_sshd_config_d
@@ -286,7 +287,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 1a486017ff77..9e30070d1b8f 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -131,6 +131,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
@@ -284,7 +285,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index 3adcc4a679d7..747124962916 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -64,6 +64,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 disable_users_coredumps
@@ -201,7 +202,6 @@ kernel_module_rds_disabled
 kernel_module_sctp_disabled
 kernel_module_tipc_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index ab02f8230153..c6dcbe89a610 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -62,6 +62,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 disable_users_coredumps
@@ -198,7 +199,6 @@ kernel_module_jffs2_disabled
 kernel_module_rds_disabled
 kernel_module_sctp_disabled
 kernel_module_tipc_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index 6a1bd6cd5eed..1aeeb3681d3e 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -131,6 +131,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
@@ -284,7 +285,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a0355b22cead..e6e3561e18a8 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -155,6 +155,7 @@ dconf_gnome_screensaver_lock_locked
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=dod_default
+dconf_login_banner_text=dod_banners
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index f4740e88e209..79544c850455 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -155,6 +155,7 @@ dconf_gnome_screensaver_lock_locked
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=dod_default
+dconf_login_banner_text=dod_banners
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile
index 2438f8526fb3..5a07e93c9a1c 100644
--- a/tests/data/profile_stability/rhel9/ccn_advanced.profile
+++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile
@@ -67,6 +67,7 @@ dconf_gnome_login_banner_text
 dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 directory_permissions_var_log_audit
 enable_authselect
 encrypt_partitions
diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile
index 8b798198a18d..b1fb2d97365b 100644
--- a/tests/data/profile_stability/rhel9/ccn_basic.profile
+++ b/tests/data/profile_stability/rhel9/ccn_basic.profile
@@ -47,6 +47,7 @@ dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_login_banner_text
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 enable_authselect
 file_groupowner_grub2_cfg
 file_groupowner_user_cfg
diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile
index a807fc079047..6f226054e656 100644
--- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile
+++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile
@@ -56,6 +56,7 @@ dconf_gnome_login_banner_text
 dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 directory_permissions_var_log_audit
 enable_authselect
 ensure_root_password_configured
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
index 99cd9fc08002..54b834b2cfd3 100644
--- a/tests/data/profile_stability/rhel9/stig.profile
+++ b/tests/data/profile_stability/rhel9/stig.profile
@@ -171,6 +171,7 @@ dconf_gnome_screensaver_mode_blank
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=dod_default
+dconf_login_banner_text=dod_banners
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
index 10ebb282a93e..70e9b9c0914b 100644
--- a/tests/data/profile_stability/rhel9/stig_gui.profile
+++ b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -171,6 +171,7 @@ dconf_gnome_screensaver_mode_blank
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dconf_login_banner_contents=dod_default
+dconf_login_banner_text=dod_banners
 dir_group_ownership_library_dirs
 dir_ownership_library_dirs
 dir_permissions_library_dirs

From 82d5b8cb49d95a1c247e4c91811306fcce748a4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Tue, 24 Feb 2026 11:35:52 +0100
Subject: [PATCH 181/265] Align Dconf GDM banner text with CIS

CIS Benchmarks aren't consistent in the wording of the recommended
login banner. In most CIS requirements, the text starts with
"Authorized users". But, in "Ensure GDM login banner is configured"
requirement recommends "Authorized uses".
---
 .../accounts-banners/dconf_login_banner_contents.var      | 2 +-
 .../accounts/accounts-banners/dconf_login_banner_text.var | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
index d4f1b4bc0fc5..bd366b4da215 100644
--- a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
+++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var
@@ -18,7 +18,7 @@ options:
     default: 'Authorized users only. All activity may be monitored and reported.'
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
 # There is a generic content in case a remediation is necessary.
-    cis_default: 'Authorized users only. All activity may be monitored and reported.'
+    cis_default: 'Authorized uses only. All activity may be monitored and reported.'
     dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
     dod_short: 'I''ve read & consent to terms in IS user agreem''t.'
     dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.'
diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var
index 6a44de843411..0f838c065d56 100644
--- a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: Login Banner Verbiage Regular Expression
+title: Dconf GDM Login Banner Verbiage Regular Expression
 
 description: >-
     Enter an appropriate login banner regular expression for your organization.
@@ -20,8 +20,10 @@ options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
 # There is a generic content in case a remediation is necessary.
 # How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
-    cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
-    cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+# CIS recommends to use "Authorized uses only" for Dconf GDM requirements which is
+# different text that in other login banners where CIS recommends "Authorized users only".
+    cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+    cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters
     dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
     dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$

From 3a15fdeca4521130c129c7af0cc05eeb47fc550b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Tue, 24 Feb 2026 11:44:54 +0100
Subject: [PATCH 182/265] Remove trailing space

---
 products/sle15/profiles/pcs-hardening-sap.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile
index 207b0dfa6543..22c9e487becf 100644
--- a/products/sle15/profiles/pcs-hardening-sap.profile
+++ b/products/sle15/profiles/pcs-hardening-sap.profile
@@ -5,7 +5,7 @@ metadata:
     SMEs:
         - esampson
 
-reference: 
+reference:
 
 title: 'Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15'
 

From 3ed664f822937a0ad1c5633eca30f31138e487d7 Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 08:35:22 -0600
Subject: [PATCH 183/265] Add a .claude/CLAUDE.md file

This commit adds a generic .claude/CLAUDE.md file with some information
about the project structure and guidance for maintaining profiles.

Subsequent commits will leverage this information with specific CLAUDE
commands.
---
 .claude/CLAUDE.md | 301 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 301 insertions(+)
 create mode 100644 .claude/CLAUDE.md

diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
new file mode 100644
index 000000000000..216448a3cdb5
--- /dev/null
+++ b/.claude/CLAUDE.md
@@ -0,0 +1,301 @@
+# ComplianceAsCode/content
+
+## Project Overview
+
+This repository produces SCAP data streams, Ansible playbooks, Bash scripts, and other artifacts for compliance scanning and remediation.
+
+Each supported operating system or platform is called a **product**. To see the full list of products, check the subdirectories under `products/` — each subdirectory name is a product ID (e.g., `rhel9`, `ocp4`, `ubuntu2404`). Product-specific configuration lives in `products//product.yml`.
+
+## Repository Structure
+
+```
+applications/openshift/    # OCP4 and Kubernetes rules, organized by component
+linux_os/guide/            # Linux rules (RHEL, RHCOS, etc.), organized by system area
+controls/                  # Compliance framework mappings (CIS, STIG, SRG, NIST, etc.)
+products/                  # Product definitions, profiles, and product-specific controls
+shared/templates/          # Reusable check/remediation templates (60+ types)
+shared/macros/             # Jinja2 macro files for generating OVAL, Ansible, Bash, etc.
+components/                # Component definitions mapping rules to packages/groups
+```
+
+### Discovering Rule Directories
+
+- **OCP4/Kubernetes rules** live under `applications/openshift/`, organized by component (e.g., `api-server/`, `kubelet/`, `etcd/`). Each component directory contains rule subdirectories. The rule ID prefix typically matches the component directory name with hyphens replaced by underscores (e.g., rules in `api-server/` use the `api_server_` prefix). Browse `applications/openshift/` to see all component directories.
+- **Linux rules** (RHEL, RHCOS, Fedora, Ubuntu, etc.) live under `linux_os/guide/`, organized by system area (e.g., `system/`, `services/`, `auditing/`). Browse the subdirectories to find the appropriate category for a rule.
+- When placing a new rule, find 2-3 existing rules with a similar prefix or topic and place the new rule alongside them.
+
+## Rule Format
+
+Each rule lives in its own directory. The **directory name is the rule ID**. The directory contains `rule.yml` and optionally a `tests/` subdirectory.
+
+### `rule.yml` Fields
+
+```yaml
+documentation_complete: true          # Must be true for the rule to be built
+
+title: 'Short descriptive title'
+
+description: |-                        # Full description, supports HTML tags and Jinja2 macros
+    Description text here.
+
+rationale: |-                          # Why this rule matters
+    Rationale text here.
+
+severity: medium                       # low, medium, high, unknown
+
+identifiers:                           # Product-specific CCE identifiers
+    cce@ocp4: CCE-XXXXX-X
+    cce@rhel9: CCE-XXXXX-X
+
+references:                            # Compliance framework references
+    cis@ocp4: 1.2.3                    # CIS benchmark section
+    nist: CM-6,CM-6(1)                 # NIST 800-53 controls
+    srg: SRG-APP-000516-CTR-001325     # DISA SRG ID
+    stigid@rhel9: RHEL-09-XXXXXX       # STIG rule ID (product-scoped)
+    nerc-cip: CIP-003-8 R6             # NERC CIP references
+    pcidss: Req-2.2                    # PCI DSS requirements
+
+ocil_clause: 'condition when rule fails'  # Used in OCIL questionnaire
+
+ocil: |-                               # Manual check instructions
+    Run the following command:
+    
$ oc get ...

+
+platform: ocp4                         # Platform applicability (optional)
+
+warnings:                              # Optional warnings section
+    - general: |-
+        Warning text, often includes openshift_cluster_setting macro.
+
+template:                              # Optional - uses a shared template for checks
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: '/api/path/here'
+        yamlpath: '.spec.field'
+        values:
+          - value: 'expected_value'
+            operation: "pattern match"
+
+fixtext: 'Remediation instructions'    # STIG fixtext (optional)
+srg_requirement: 'SRG requirement'     # SRG requirement text (optional)
+```
+
+## Templates
+
+Templates generate OVAL checks, Ansible playbooks, and Bash remediation scripts automatically.
+
+### `yamlfile_value` (primary OCP4 template)
+
+Checks values in YAML/JSON files or API responses.
+
+```yaml
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"                        # "true" for OCP API data
+        filepath: '/apis/...'                   # API path or file path
+        yamlpath: '.spec.config.field'          # JSONPath-like expression
+        check_existence: "at_least_one_exists"  # Optional existence check
+        entity_check: "at least one"            # How to evaluate multiple matches
+        values:
+          - value: 'expected'                   # Expected value or regex
+            type: "string"                      # string, int, boolean
+            operation: "pattern match"          # equals, not equal, pattern match,
+                                                # greater than or equal, less than or equal
+            entity_check: "at least one"        # Per-value entity check
+```
+
+### `file_permissions` (RHEL)
+
+```yaml
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/cron.d/
+        filemode: '0700'
+```
+
+### `shell_lineinfile` (RHEL)
+
+```yaml
+template:
+    name: shell_lineinfile
+    vars:
+        path: '/etc/sysconfig/sshd'
+        parameter: 'SSH_USE_STRONG_RNG'
+        value: '32'
+        datatype: int                       # Optional
+        no_quotes: 'true'                   # Optional
+```
+
+### `sysctl` (RHEL)
+
+```yaml
+template:
+    name: sysctl
+    vars:
+        sysctlvar: net.ipv6.conf.all.accept_ra
+        datatype: int
+```
+
+### `service_enabled` / `service_disabled` (RHEL)
+
+```yaml
+template:
+    name: service_disabled
+    vars:
+        servicename: avahi
+```
+
+### `package_installed` / `package_removed` (RHEL)
+
+```yaml
+template:
+    name: package_removed
+    vars:
+        pkgname: avahi
+        pkgname@ubuntu2204: avahi-daemon    # Platform-specific overrides
+```
+
+## Common Jinja2 Macros
+
+Used in rule descriptions, OCIL, fixtext, and warnings fields:
+
+- `{{{ openshift_cluster_setting("/api/path") }}}` - Generates OCP API check instructions
+- `{{{ openshift_filtered_cluster_setting({'/api/path': jqfilter}) }}}` - Filtered API check with jq
+- `{{{ openshift_filtered_path('/api/path', jqfilter) }}}` - Generates filtered filepath for templates
+- `{{{ full_name }}}` - Expands to product full name (e.g., "Red Hat Enterprise Linux 9")
+- `{{{ xccdf_value("var_name") }}}` - References an XCCDF variable
+- `{{{ weblink("https://...") }}}` - Creates an HTML link
+- `{{{ describe_service_disable(service="name") }}}` - Standard service disable description
+- `{{{ describe_service_enable(service="name") }}}` - Standard service enable description
+- `{{{ describe_file_permissions(file="/path", perms="0700") }}}` - File permission description
+- `{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}` - Sysctl description
+- `{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}` - Full OCIL for sysctl
+- `{{{ complete_ocil_entry_package(package="name") }}}` - Full OCIL for package check
+- `{{{ fixtext_package_removed("name") }}}` - Fixtext for package removal
+- `{{{ fixtext_sysctl("key", "value") }}}` - Fixtext for sysctl setting
+- `{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}` - Fixtext for dir permissions
+
+## Control File Format
+
+Control files map compliance framework requirements to rules. They exist in two layouts:
+
+### Single-file format
+
+```yaml
+# controls/stig_rhel9.yml (or products/rhel9/controls/stig_rhel9.yml)
+policy: 'Red Hat Enterprise Linux 9 STIG'
+title: 'DISA STIG for RHEL 9'
+id: stig_rhel9
+source: https://www.cyber.mil/stigs/downloads/
+version: V2R7
+reference_type: stigid
+product: rhel9
+
+levels:
+    - id: high
+    - id: medium
+    - id: low
+
+controls:
+    - id: RHEL-09-211010
+      levels:
+          - high
+      title: RHEL 9 must be a vendor-supported release.
+      rules:
+          - installed_OS_is_vendor_supported
+      status: automated
+```
+
+### Split-directory format
+
+```
+controls/cis_ocp.yml          # Top-level: policy, title, id, levels
+controls/cis_ocp/             # Directory with section files
+    section-1.yml             # Controls for section 1
+    section-2.yml             # Controls for section 2
+    ...
+```
+
+Section files contain nested controls:
+
+```yaml
+controls:
+    - id: '1'
+      title: Control Plane Components
+      controls:
+          - id: '1.1'
+            title: Master Node Configuration Files
+            controls:
+                - id: 1.1.1
+                  title: Ensure that the API server pod specification...
+                  status: automated
+                  rules:
+                      - file_permissions_kube_apiserver
+                  levels:
+                      - level_1
+```
+
+### Control entry fields
+
+- `id` - Control identifier (e.g., "RHEL-09-211010", "1.2.3")
+- `title` - Human-readable title
+- `levels` - Applicable compliance levels
+- `rules` - List of rule IDs that satisfy this control
+- `status` - `automated`, `manual`, `inherently met`, `does not meet`, `pending`, `not applicable`
+- `notes` - Optional notes explaining status or implementation
+
+## Profile File Format
+
+Profiles select which rules apply to a product. Located at `products//profiles/.profile`.
+
+```yaml
+documentation_complete: true
+title: 'Profile Title'
+description: |-
+    Profile description text.
+platform: ocp4
+metadata:
+    version: V2R7
+    SMEs:
+        - github_username
+
+selections:
+    - control_id:all              # Include all rules from a control file
+    - rule_id                     # Include a specific rule
+    - '!rule_id'                  # Exclude a specific rule
+    - var_name=value              # Set a variable value
+```
+
+Common selection patterns:
+- `stig_rhel9:all` - Pull in all rules from the stig_rhel9 control file
+- `cis_ocp:all` - Pull in all rules from the cis_ocp control file
+- `!audit_rules_immutable_login_uids` - Exclude a specific rule
+- `var_sshd_set_keepalive=1` - Set a variable
+
+## Build Instructions
+
+```bash
+# Build a single product (full build)
+./build_product ocp4
+
+# Build data stream only (faster, skips guides and tables)
+./build_product ocp4 --datastream-only
+
+# Build with only specific rules (fastest, for testing individual rules)
+./build_product ocp4 --datastream-only --rule-id api_server_tls_security_profile
+```
+
+Build output goes to `build/`. The data stream file is at:
+`build/ssg--ds.xml`
+
+## Guidelines for Claude
+
+1. **Always show proposals before making changes.** Present the full content of any new or modified file and wait for explicit approval.
+2. **Follow existing patterns.** Before creating a rule, find 2-3 similar existing rules and match their style exactly.
+3. **Check for duplicates.** Before creating a new rule, search for existing rules that might already cover the requirement.
+4. **Use the correct directory.** Find existing rules with the same prefix to determine the right directory. When in doubt, browse `applications/openshift/` or `linux_os/guide/` to find the appropriate component or category.
+5. **Preserve formatting.** This project uses consistent YAML formatting. Match the indentation and style of surrounding content.
+6. **Don't invent references.** Only include reference IDs (CCE, CIS, STIG, SRG, NIST) that the user provides or that exist in source documents.

From d1e1f4a83b1426f08b184842d496157e75f69d05 Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Mon, 23 Feb 2026 16:16:34 +0100
Subject: [PATCH 184/265] Align file_ownerships_var_log with Ubuntu CIS

The rule file_ownerships_var_log was fixed to allow log files
to be owned by all system accounts (accounts without valid login shell).
---
 .../file_ownerships_var_log/bash/shared.sh    | 21 ++++++++-
 .../file_ownerships_var_log/oval/shared.xml   | 46 ++++++++++++++++---
 .../tests/owned_by_nobody.fail.sh             |  8 ----
 .../tests/owned_by_root.pass.sh               |  1 -
 .../tests/owned_by_sysacc.pass.sh             | 10 ----
 .../tests/owned_by_syslog.pass.sh             |  3 +-
 .../tests/owned_by_user_with_shell.fail.sh    |  9 ++++
 .../tests/owned_by_user_without_shell.pass.sh |  9 ++++
 8 files changed, 80 insertions(+), 27 deletions(-)
 delete mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh
 delete mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh
index ee4cce9fd671..eafb1e165112 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh
@@ -7,6 +7,18 @@
 # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964
 # regarding sssd and gdm exclusions
 
+declare -A valid_shells
+while read -r line; do
+    [[ "$line" == /* ]] && valid_shells["$line"]=1
+done < /etc/shells
+
+declare -A users_with_valid_shells
+while IFS=: read -r user _ _ _ _ _ shell; do
+    if [[ ${valid_shells["$shell"]} == 1 ]]; then
+        users_with_valid_shells["$user"]=1
+    fi
+done < /etc/passwd
+
 find -P /var/log/ -type f -regextype posix-extended \
     ! -user root ! -user syslog  \
     ! -name 'gdm' ! -name 'gdm3' \
@@ -26,4 +38,11 @@ find -P /var/log/ -type f -regextype posix-extended \
     ! -regex '.*/localmessages(.*)' \
     ! -regex '.*/secure(.*)' \
     ! -regex '.*/waagent.log(.*)' \
-    -regex '.*' -exec chown --no-dereference root {} \;
+    -print0 | while IFS= read -r -d '' log_file
+    do
+        # Set to root if owned by a user with a valid shell
+        user=$(stat -c "%U" "$log_file")
+        if [[ "${users_with_valid_shells["$user"]}" == "1" ]]; then
+            chown --no-dereference root "$log_file"
+        fi
+    done
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml
index 95095bbb8837..b97743b02346 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml
@@ -20,8 +20,8 @@
     
     
     
-    {{%- if product == "ubuntu2204" %}}
-    
+    {{%- if 'ubuntu' in product %}}
+    
     {{%- endif %}}
   
   
@@ -108,9 +108,43 @@
     ^/var/log/exim4/.*$
   
   {{% endif %}}
-  {{%- if product == "ubuntu2204" %}}
-  
-    {{{ uid_min }}}
+ 
+  
+    
   
-  {{%- endif %}}
+
+  
+  
+    /etc/shells
+    ^(/.*)$
+    1
+  
+
+  
+    
+  
+
+  
+  
+    /etc/passwd
+    ^[^:]+:[^:]+:([0-9]+):.*$
+    1
+    {{{ rule_id }}}_state_shell_is_valid
+  
+
+  
+    
+  
+  
+  
+    
+      ^.*:(
+        
+      )$
+    
+  
+
+  
+    
+  
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh
deleted file mode 100644
index 1bd7955a7dc2..000000000000
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# packages = rsyslog
-
-chown root -R /var/log/*
-
-touch /var/log/test.log
-chown nobody /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh
index 3405d1f42030..c9ea476a15aa 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chown root -R /var/log/*
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh
deleted file mode 100644
index 70bb73134866..000000000000
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# platform = Ubuntu 22.04
-# packages = rsyslog
-
-chown root -R /var/log/*
-
-useradd -r testUser
-
-touch /var/log/test.log
-chown testUser /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh
index 697ac57b5507..b13a50eff8b1 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
+
+useradd -r syslog || true
 
 chown root -R /var/log/*
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh
new file mode 100644
index 000000000000..6215bee12392
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /bin/bash test_user_with_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chown test_user_with_shell /var/log/test_log_file
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh
new file mode 100644
index 000000000000..b1e5fae1718f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /usr/sbin/nologin test_user_no_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chown test_user_no_shell /var/log/test_log_file

From 7d9f4fd62fa8016240c07a5961a5435e71e8b450 Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Mon, 23 Feb 2026 16:48:51 +0100
Subject: [PATCH 185/265] Align file_groupownerships_var_log with Ubuntu CIS

The rule file_groupownerships_var_log was fixed to allow log files
to be owned by all system accounts (accounts without valid login shell).
---
 .../bash/shared.sh                            | 21 ++++++-
 .../oval/shared.xml                           | 56 +++++++++----------
 .../tests/excluded_files.pass.sh              |  1 -
 .../tests/owned_by_adm.pass.sh                |  1 -
 .../tests/owned_by_nobody.fail.sh             | 13 -----
 .../tests/owned_by_non_sys_acc_grp.fail.sh    | 12 ----
 .../tests/owned_by_root.pass.sh               |  1 -
 .../tests/owned_by_sys_acc_grp.pass.sh        | 12 ----
 .../tests/owned_by_user_with_shell.fail.sh    |  9 +++
 .../tests/owned_by_user_without_shell.pass.sh |  9 +++
 10 files changed, 64 insertions(+), 71 deletions(-)
 delete mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh
 delete mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh
 delete mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh
index 6579223bec38..db9e7825fbab 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh
@@ -7,6 +7,18 @@
 # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964
 # regarding sssd and gdm exclusions
 
+declare -A valid_shells
+while read -r line; do
+    [[ "$line" == /* ]] && valid_shells["$line"]=1
+done < /etc/shells
+
+declare -A users_with_valid_shells
+while IFS=: read -r user _ _ _ _ _ shell; do
+    if [[ ${valid_shells["$shell"]} == 1 ]]; then
+        users_with_valid_shells["$user"]=1
+    fi
+done < /etc/passwd
+
 find -P /var/log/ -type f -regextype posix-extended \
     ! -group root ! -group adm  \
     ! -name 'gdm' ! -name 'gdm3' \
@@ -26,4 +38,11 @@ find -P /var/log/ -type f -regextype posix-extended \
     ! -regex '.*/localmessages(.*)' \
     ! -regex '.*/secure(.*)' \
     ! -regex '.*/waagent.log(.*)' \
-    -regex '.*' -exec chgrp --no-dereference root {} \;
+    -print0 | while IFS= read -r -d '' log_file
+    do
+        # Set to root if owned by a user with a valid shell
+        user=$(stat -c "%U" "$log_file")
+        if [[ "${users_with_valid_shells["$user"]}" == "1" ]]; then
+            chgrp --no-dereference root "$log_file"
+        fi
+    done
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml
index bb1b411ae7fe..02f7f4ce5fdb 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml
@@ -21,8 +21,8 @@
     
     
     
-    {{%- if product == "ubuntu2204" %}}
-    
+    {{%- if 'ubuntu' in product %}}
+    
     {{%- endif %}}
   
   
@@ -96,47 +96,43 @@
   
     ^waagent\.log.*$
   
-  {{%- if product == "ubuntu2204" %}}
-  
-    
+  {{%- if 'ubuntu' in product %}}
+  
+    
   
 
-  
-    
-  
-
-  
-    /etc/group
-     
+  
+  
+    /etc/shells
+    ^(/.*)$
     1
   
 
-  
-    
-      ^[^:]+:[^:]*:(
-      
-      ):$
-    
+  
+    
   
-
-  
+  
+  
     /etc/passwd
-    
+    ^[^:]+:[^:]+:[0-9]+:([0-9]+):.*$
     1
+    {{{ rule_id }}}_state_shell_is_valid
   
 
-  
+  
+    
+  
+  
+  
     
-      ^[^:]*:[^:]*:
-        
-      :(\d+):.*$
+      ^.*:(
+        
+      )$
     
   
 
-  
-    /etc/passwd
-    ^[^:]+:[^:]*:(\d\d?\d?):.*$
-    1
-  
+  
+    
+  
   {{%- endif %}}
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh
index 1960379c3e08..7dd2a108ed05 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh
index 4afa612eb706..be307cb3eced 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh
deleted file mode 100644
index 207dd03b6cd1..000000000000
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# packages = rsyslog
-
-chgrp root -R /var/log/*
-
-touch /var/log/test.log
-chgrp nogroup /var/log/test.log
-{{%- if product == 'ubuntu2204' %}}
-#make sure nogroup has members
-usermod -aG nogroup nobody
-chown nobody /var/log/test.log
-{{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh
deleted file mode 100644
index 53bcf848e1a5..000000000000
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# packages = rsyslog
-
-chown root -R /var/log/*
-
-groupadd testgroup
-useradd testUser
-usermod -g testgroup testUser
-
-touch /var/log/test.log
-chgrp testgroup /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh
index a9b0b730fe07..a04a0c38499b 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh
deleted file mode 100644
index 49afdf1ad47b..000000000000
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Ubuntu 22.04
-# packages = rsyslog
-
-chown root -R /var/log/*
-
-groupadd testgroup
-useradd -r testUser
-usermod -g testgroup testUser
-
-touch /var/log/test.log
-chgrp testgroup /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh
new file mode 100644
index 000000000000..3308000d466e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /bin/bash test_user_with_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chgrp test_user_with_shell /var/log/test_log_file
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh
new file mode 100644
index 000000000000..d985321e5124
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /usr/sbin/nologin test_user_no_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chgrp test_user_no_shell /var/log/test_log_file

From 56d5f4fe5854a968a00f1d080ade8c72812c8303 Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Tue, 24 Feb 2026 19:23:22 +0000
Subject: [PATCH 186/265] Run test_product_stability.py --update-reference-data

Signed-off-by: Alan Moore 
---
 tests/data/product_stability/ubuntu2204.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index 7010b1dae93a..53c86f2be504 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -11,6 +11,9 @@ audit_binaries:
 - /sbin/autrace
 - /sbin/auditd
 - /sbin/augenrules
+- /sbin/audisp-syslog
+- /sbin/audisp-remote
+- /sbin/audispd-zos-remote
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

From f2048bd3b9d6775d4d53b5d9bf908b9fff6fb881 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Mon, 23 Feb 2026 22:23:57 +0100
Subject: [PATCH 187/265] core(ssg): add product-overridable SSH path variables
 and update shared macros

Introduce product properties for SSH path customization:\n- sshd_main_config_file\n- sshd_config_dir\n- sshd_config_base_dir\n- sshd_hardening_config_basename\n- sshd_sysconfig_file\n\nWire these properties into shared SSH macros used by OVAL, Bash, Ansible, OCIL, and fixtext generation.\nDefaults preserve existing behavior for all current products.
---
 shared/macros/10-ansible.jinja | 16 ++++++++++------
 shared/macros/10-bash.jinja    | 26 ++++++++++++++------------
 shared/macros/10-fixtext.jinja |  6 ++++--
 shared/macros/10-ocil.jinja    | 15 ++++++++++-----
 shared/macros/10-oval.jinja    | 29 +++++++++++++++--------------
 ssg/constants.py               |  4 ++++
 ssg/products.py                | 19 +++++++++++++++++++
 7 files changed, 76 insertions(+), 39 deletions(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index fe432b975fc5..3113bf55e701 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -212,11 +212,14 @@ value: :code:`Setting={{ varname1 }}`
 :type config_basename: str
 
 #}}
-{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_title=None) %}}
+{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="", rule_title=None) %}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_base_dir = sshd_config_base_dir -%}}
 {{% if product in ["ol8", "ol9"] %}}
 - name: "Find sshd_config included files"
   ansible.builtin.shell: |-
-    included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
+    included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_main_config }}} | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|')
     [[ -n $included_files ]] && ls $included_files || true
   register: sshd_config_included_files
 
@@ -229,9 +232,10 @@ value: :code:`Setting={{ varname1 }}`
 
 {{% endif %}}
 {{%- if config_is_distributed == "true" %}}
-{{% set config_dir = "/etc/ssh/sshd_config.d" %}}
-{{% set config_file = "/etc/ssh/sshd_config.d" ~ "/" ~ config_basename %}}
-{{{ ansible_set_config_file_dir(msg, config_file="/etc/ssh/sshd_config", config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}}
+{{% set hardening_config_basename = config_basename or sshd_hardening_config_basename %}}
+{{% set config_dir = sshd_drop_in_dir %}}
+{{% set config_file = sshd_drop_in_dir ~ "/" ~ hardening_config_basename %}}
+{{{ ansible_set_config_file_dir(msg, config_file=sshd_main_config, config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}}
 - name: {{{ rule_title }}} - set file mode for {{{ config_file }}}
   ansible.builtin.file:
     path: {{{ config_file }}}
@@ -240,7 +244,7 @@ value: :code:`Setting={{ varname1 }}`
     modification_time: preserve
     access_time: preserve
 {{%- else %}}
-{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}}
+{{{ ansible_set_config_file(msg, sshd_main_config, parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}}
 {{%- endif %}}
 {{%- endmacro %}}
 
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7ad8a71c0246..2ffdd0ee9785 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -173,8 +173,9 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"
 
 #}}
 {{%- macro bash_sshd_config_set(parameter, value, rule_id=None) -%}}
+{{%- set sshd_config_path = sshd_main_config_file -%}}
 {{{ set_config_file(
-        path="/etc/ssh/sshd_config",
+        path=sshd_config_path,
         parameter=parameter,
         value=value,
         create=true,
@@ -201,14 +202,15 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"
 :type config_basename: str
 
 #}}
-{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_id=None) -%}}
-{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
-{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="", rule_id=None) -%}}
+{{%- set sshd_config_path = sshd_main_config_file %}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_base_dir = sshd_config_base_dir -%}}
 
 {{% if product in ["ol8", "ol9"] %}}
 # Find the include keyword, extract from the line the glob expression representing included files.
-# And if it is a relative path prepend '/etc/ssh/'
-included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')
+# And if it is a relative path prepend '{{{ sshd_base_dir }}}/'
+included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_config_path }}} | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|')
 for included_file in ${included_files} ; do
     {{{ lineinfile_absent("$included_file", "^\s*" ~ parameter, insensitive=true, rule_id=rule_id) | indent(4) }}}
 done
@@ -216,15 +218,15 @@ done
 {{%- if config_is_distributed == "true" %}}
 {{%- set prefix_regex = "^\s*" -%}}
 {{%- set separator_regex = "\s\+" -%}}
-{{%- set hardening_config_basename = config_basename %}}
+{{%- set hardening_config_basename = config_basename or sshd_hardening_config_basename %}}
 {{%- set line_regex = prefix_regex ~ parameter ~ separator_regex %}}
-mkdir -p {{{ sshd_config_dir }}}
-touch {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}}
-chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}}
+mkdir -p {{{ sshd_drop_in_dir }}}
+touch {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}}
+chmod 0600 {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}}
 {{{ lineinfile_absent(sshd_config_path, line_regex, insensitive=true, rule_id=rule_id) }}}
-{{{ lineinfile_absent_in_directory(sshd_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}}
+{{{ lineinfile_absent_in_directory(sshd_drop_in_dir, line_regex, insensitive=true, filename_glob="*.conf") }}}
 {{{ set_config_file(
-        path=sshd_config_dir ~ "/" ~ hardening_config_basename,
+        path=sshd_drop_in_dir ~ "/" ~ hardening_config_basename,
         parameter=parameter,
         value=value,
         create=true,
diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja
index 1ecca316fe66..ebba0ef3a26b 100644
--- a/shared/macros/10-fixtext.jinja
+++ b/shared/macros/10-fixtext.jinja
@@ -233,10 +233,12 @@ The audit daemon must be restarted for the changes to take effect.
 
 #}}
 {{%- macro fixtext_sshd_lineinfile(parameter, value, config_is_distributed) -%}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename -%}}
 {{%- if config_is_distributed -%}}
-{{%- set path = "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" -%}}
+{{%- set path = sshd_hardening_config -%}}
 {{%- else -%}}
-{{%- set path = "/etc/ssh/sshd_config" -%}}
+{{%- set path = sshd_main_config -%}}
 {{%- endif -%}}
     To configure the system add or modify the following line in "{{{ path }}}".
 
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
index ab94d0956921..76759bdde775 100644
--- a/shared/macros/10-ocil.jinja
+++ b/shared/macros/10-ocil.jinja
@@ -26,10 +26,12 @@ $ oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ n
 
 
 {{% macro sshd_config_file() %}}
+    {{% set sshd_main_config = sshd_main_config_file %}}
+    {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}}
     {{% if sshd_distributed_config == "true" %}}
-    /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
+    {{{ sshd_hardening_config }}}:
     {{% else %}}
-    /etc/ssh/sshd_config:
+    {{{ sshd_main_config }}}:
     {{% endif %}}
 {{%- endmacro %}}
 
@@ -509,14 +511,17 @@ ocil_clause: "the required value is not set"
 
 #}}
 {{% macro ocil_sshd_option(default, option, value) -%}}
+    {{% set sshd_main_config = sshd_main_config_file %}}
+    {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}}
+    {{% set sshd_reinforce_defaults_config = sshd_config_dir ~ "/01-complianceascode-reinforce-os-defaults.conf" %}}
     To determine how the SSH daemon's {{{ option }}} option is set, run the following command:
     {{% if sshd_distributed_config == "true" %}}
-    
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

+    
$ sudo grep -i {{{ option }}} {{{ sshd_hardening_config }}}

     {{% if default == "yes" -%}}
-    
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

+    
$ sudo grep -i {{{ option }}} {{{ sshd_reinforce_defaults_config }}}

     {{%- endif %}}
     {{% else %}}
-    
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config

+    
$ sudo grep -i {{{ option }}} {{{ sshd_main_config }}}

     {{% endif %}}
     If a line indicating {{{ value }}} is returned, then the required value is set.
 {{%- endmacro %}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 6466728189db..48c0cd829fd9 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1034,16 +1034,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo
 
 #}}
 {{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
-{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
-{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_main_config = sshd_main_config_file %}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_base_dir = sshd_config_base_dir -%}}
 {{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
-{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
+{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_main_config %}}
 {{%- else -%}}
-{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path %}}
+{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_main_config %}}
 {{%- endif -%}}
 {{%- if config_is_distributed == "true" %}}
-{{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
+{{%- set description = description  ~ " or in " ~ sshd_drop_in_dir -%}}
 {{%- endif %}}
 {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
 
@@ -1081,10 +1082,10 @@ Generates the :code:`` tag for OVAL check using correct product platfo
           {{%- endif %}}
           {{%- if runtime_check != "true" %}}
           
-            
-              {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              
+              {{{- oval_line_in_file_criterion(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
               {{%- if config_is_distributed == "true" %}}
-              {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
               {{%- endif %}}
               {{% if product in ["ol8", "ol9"] %}}
               {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
@@ -1105,11 +1106,11 @@ Generates the :code:`` tag for OVAL check using correct product platfo
 {{% endif %}}
 
   {{% if product in ["ol8", "ol9"] %}}
-  {{{ oval_line_in_file_object(sshd_config_path, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}}
+  {{{ oval_line_in_file_object(sshd_main_config, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}}
   
     
-      ^(/etc/ssh/(?!/))?
+      ^({{{ sshd_base_dir }}}/(?!/))?
       
         
           
@@ -1136,8 +1137,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo
 
   {{% endif %}}
 
-  {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
-  {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}}
+  {{{ oval_line_in_file_test(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_file_object(sshd_main_config, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}}
   {{%- if xccdf_variable -%}}
   {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype, rule_id=rule_id) }}}
   {{%- else -%}}
@@ -1145,8 +1146,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo
   {{%- endif -%}}
 
   {{%- if config_is_distributed == "true" %}}
-  {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
-  {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}}
+  {{{ oval_line_in_directory_test(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_directory_object(sshd_drop_in_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}}
   {{%- if xccdf_variable -%}}
   {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype, rule_id=rule_id) | indent (2) }}}
   {{%- else -%}}
diff --git a/ssg/constants.py b/ssg/constants.py
index f104ecec2c34..1f4ae4a5631c 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -459,6 +459,10 @@
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
 DEFAULT_SSH_RUNTIME_CHECK = 'false'
+DEFAULT_SSHD_MAIN_CONFIG_FILE = '/etc/ssh/sshd_config'
+DEFAULT_SSHD_CONFIG_DIR = '/etc/ssh/sshd_config.d'
+DEFAULT_SSHD_HARDENING_CONFIG_BASENAME = '00-complianceascode-hardening.conf'
+DEFAULT_SSHD_SYSCONFIG_FILE = '/etc/sysconfig/sshd'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
diff --git a/ssg/products.py b/ssg/products.py
index 4c1e0c65367d..93eaa1857708 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -17,6 +17,10 @@
                         DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
                         DEFAULT_SSH_RUNTIME_CHECK,
+                        DEFAULT_SSHD_MAIN_CONFIG_FILE,
+                        DEFAULT_SSHD_CONFIG_DIR,
+                        DEFAULT_SSHD_HARDENING_CONFIG_BASENAME,
+                        DEFAULT_SSHD_SYSCONFIG_FILE,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -111,6 +115,21 @@ def _get_implied_properties(existing_properties):
     if "sshd_runtime_check" not in existing_properties:
         result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK
 
+    if "sshd_main_config_file" not in existing_properties:
+        result["sshd_main_config_file"] = DEFAULT_SSHD_MAIN_CONFIG_FILE
+
+    if "sshd_config_dir" not in existing_properties:
+        result["sshd_config_dir"] = DEFAULT_SSHD_CONFIG_DIR
+
+    if "sshd_config_base_dir" not in existing_properties:
+        result["sshd_config_base_dir"] = os.path.dirname(result["sshd_main_config_file"])
+
+    if "sshd_hardening_config_basename" not in existing_properties:
+        result["sshd_hardening_config_basename"] = DEFAULT_SSHD_HARDENING_CONFIG_BASENAME
+
+    if "sshd_sysconfig_file" not in existing_properties:
+        result["sshd_sysconfig_file"] = DEFAULT_SSHD_SYSCONFIG_FILE
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT
 

From cf8fcd07d952ed040593fb83a5fba819f1142670 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Mon, 23 Feb 2026 22:24:13 +0100
Subject: [PATCH 188/265] rules(ssh_server): replace hardcoded sshd paths with
 product variables

Migrate ssh_server rule implementations to the new product-overridable SSH path model.\n\nThis updates OVAL checks, Bash remediations, Ansible remediations, and rule text where needed so rules derive paths from product variables instead of hardcoded /etc/ssh locations.\n\nDefault behavior remains unchanged via default product values.
---
 .../oval/shared.xml                           | 12 ++++++++---
 .../sshd_limit_user_access/oval/shared.xml    | 13 ++++++++----
 .../sshd_rekey_limit/oval/shared.xml          | 18 ++++++++--------
 .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 21 +++++++------------
 .../sshd_set_idle_timeout/oval/shared.xml     | 11 ++++++----
 .../sshd_set_login_grace_time/oval/shared.xml |  6 ++++--
 .../sshd_set_max_auth_tries/oval/shared.xml   |  6 ++++--
 .../sshd_set_max_sessions/oval/shared.xml     |  6 ++++--
 .../sshd_use_approved_ciphers/bash/shared.sh  |  6 +++++-
 .../sshd_use_approved_ciphers/oval/shared.xml |  3 ++-
 .../ansible/shared.yml                        |  8 +------
 .../bash/shared.sh                            | 10 ++++-----
 .../oval/shared.xml                           |  3 ++-
 .../oval/ubuntu.xml                           |  6 ++++--
 .../ansible/shared.yml                        | 10 ++-------
 .../bash/shared.sh                            |  7 +------
 .../oval/shared.xml                           |  2 +-
 .../oval/ubuntu.xml                           |  6 ++++--
 .../rule.yml                                  |  4 ++--
 .../sshd_use_approved_macs/bash/shared.sh     |  6 +++++-
 .../sshd_use_approved_macs/oval/shared.xml    |  3 ++-
 .../ansible/shared.yml                        |  8 +------
 .../bash/shared.sh                            | 10 ++++-----
 .../oval/shared.xml                           |  3 ++-
 .../oval/ubuntu.xml                           |  6 ++++--
 .../bash/shared.sh                            | 15 +++++++------
 .../oval/shared.xml                           |  3 +--
 .../sshd_use_strong_kex/oval/shared.xml       |  6 ++++--
 .../sshd_use_strong_macs/oval/shared.xml      |  7 ++++---
 29 files changed, 120 insertions(+), 105 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
index 0370a61865c4..4f652f5c1c22 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
@@ -1,3 +1,9 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_drop_in_include_regex = (sshd_drop_in_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}}
+{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}}
+{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}}
+{{%- set sshd_config_locations_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}}
 
     
         {{{ oval_metadata("Ensure SSHD to include the system crypto policy", rule_title=rule_title) }}}
@@ -13,8 +19,8 @@
     
 
     
-        /etc/ssh/sshd_config
-        ^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$
+        {{{ sshd_main_config }}}
+        ^[ \t]*(?i)Include(?-i)[ \t]+{{{ sshd_drop_in_include_regex }}}$
         1
     
 
@@ -25,7 +31,7 @@
     
 
     
-        /etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)
+        {{{ sshd_config_locations_regex }}}
         ^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$
         1
     
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml
index aff4c3172b75..64801d0bb571 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml
@@ -1,3 +1,8 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}}
+{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}}
+{{%- set sshd_any_config_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}}
 
   
     {{{ oval_metadata("One of the following parameters of the sshd configuration file is set:  AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
@@ -27,22 +32,22 @@
   
 
   
-    ^\/etc\/ssh\/sshd_config.*$
+    {{{ sshd_any_config_regex }}}
     (?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$
     1
   
   
-    ^/etc/ssh/sshd_config.*$
+    {{{ sshd_any_config_regex }}}
     (?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$
     1
   
   
-    ^/etc/ssh/sshd_config.*$
+    {{{ sshd_any_config_regex }}}
     (?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$
     1
   
   
-    ^/etc/ssh/sshd_config.*$
+    {{{ sshd_any_config_regex }}}
     (?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$
     1
   
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index 918c6c789006..f8056fa2f5fc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,9 +1,9 @@
 {{%- set parameter = "RekeyLimit" %}}
-{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
-{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
-{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_config_path %}}
+{{%- set sshd_main_config = sshd_main_config_file %}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_main_config %}}
 {{%- if sshd_distributed_config == "true" %}}
-{{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
+{{%- set description = description  ~ " or in " ~ sshd_drop_in_dir -%}}
 {{%- endif %}}
 
 
@@ -14,15 +14,15 @@
     {{{- application_required_or_requirement_unset() }}}
       
         {{%- if sshd_distributed_config == "true" %}}
-        {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, rule_id=rule_id) | indent(8) }}}
+        {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, rule_id=rule_id) | indent(8) }}}
         
         
-          {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}}
+          {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}}
           
         
         {{%- else %}}
-        {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}}
+        {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}}
         {{%- endif %}}
       
     
@@ -35,7 +35,7 @@
   
 
   
-     {{{ sshd_config_path }}}
+     {{{ sshd_main_config }}}
      ^[\s]*{{{ parameter }}}[\s]+(.*)$
      1
   
@@ -54,7 +54,7 @@
 
 
   
-     {{{ sshd_config_dir}}}
+     {{{ sshd_drop_in_dir }}}
      .*\.conf$
      ^[\s]*{{{ parameter }}}[\s]+(.*)$
      1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index d9d64b684db5..70d69a882e6c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -1,3 +1,5 @@
+{{% set sshd_main_config = sshd_main_config_file %}}
+{{% set sshd_drop_in_glob = sshd_config_dir ~ "/*" %}}
 documentation_complete: true
 
 title: 'Force frequent session key renegotiation'
@@ -34,24 +36,17 @@ ocil: |-
     To check if RekeyLimit is set correctly, run the
     following command:
     {{% if sshd_distributed_config == "true" %}}
-    
$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*

+    
$ sudo grep RekeyLimit {{{ sshd_main_config }}} {{{ sshd_drop_in_glob }}}

     {{% else %}}
-    
$ sudo grep RekeyLimit /etc/ssh/sshd_config

+    
$ sudo grep RekeyLimit {{{ sshd_main_config }}}

     {{% endif %}}
     If configured properly, output should be
     
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}

 
 fixtext: |-
-    {{% if sshd_distributed_config == "true" %}}
-    Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" file:
-    {{% else %}}
-    Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file:
-    {{% endif %}}
-
-    RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}
-
-    Restart the SSH daemon for the settings to take effect.
-
-    $ sudo systemctl restart sshd.service
+    {{{ fixtext_sshd_lineinfile(
+        parameter="RekeyLimit",
+        value=xccdf_value("var_rekey_limit_size") ~ " " ~ xccdf_value("var_rekey_limit_time"),
+        config_is_distributed=(sshd_distributed_config == "true")) }}}
 
 srg_requirement: '{{{ full_name }}} must force a frequent session key renegotiation for SSH connections to the server.'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
index c4f7f309a530..d5a4b06fe916 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
@@ -1,3 +1,6 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_base_dir = sshd_config_base_dir -%}}
 
   
     {{{ oval_metadata("The SSH idle timeout interval should be set to an
@@ -53,7 +56,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
     1
   
@@ -67,7 +70,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
     1
@@ -76,7 +79,7 @@
 
   {{%- if product in ["ol8", "ol9"] %}}
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     (?i)^\s*Include\s+(.*)$
     1
   
@@ -84,7 +87,7 @@
   
     
-      ^(/etc/ssh/(?!/))?
+      ^({{{ sshd_base_dir }}}/(?!/))?
       
         
           
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
index f1c5911ebcc0..53d51f2abb17 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
@@ -1,3 +1,5 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("The SSH number seconds for login grace time should be set to an
@@ -44,7 +46,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$
     1
   
@@ -59,7 +61,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)LoginGraceTime(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
index 117054f7f9eb..ce045e925251 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
@@ -1,3 +1,5 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("The SSH MaxAuthTries should be set to an
@@ -44,7 +46,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$
     1
   
@@ -59,7 +61,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)MaxAuthTries(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
index 0eff641eb037..207e84401ee0 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
@@ -1,3 +1,5 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("The SSH number of max sessions should be set to an
@@ -44,7 +46,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$
     1
   
@@ -59,7 +61,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)MaxSessions(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
index 5163c19d87f8..0c9d1b452478 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
@@ -2,4 +2,8 @@
 
 {{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
 
-{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Ciphers', "$sshd_approved_ciphers", '%s %s', cce_identifiers=cce_identifiers) }}}
+{{{ bash_sshd_remediation(
+    parameter="Ciphers",
+    value="$sshd_approved_ciphers",
+    config_is_distributed=sshd_distributed_config,
+    rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
index ec798161c368..52ca8097c258 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
@@ -1,3 +1,4 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
 
   
     {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -36,7 +37,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1
   
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
index f6dc16cfe0cf..c642d4c55fb4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
@@ -8,11 +8,5 @@
 {{{ ansible_instantiate_variables('sshd_approved_ciphers') }}}
 {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
 {{%- else %}}
-- name: "Configure sshd to use approved ciphers"
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
-    state: present
-    regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
-    create: True
+{{{ ansible_sshd_set(parameter="Ciphers", value="aes256-ctr,aes192-ctr,aes128-ctr", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
 {{%- endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
index 680c9db7adac..cedc3c42510b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro
 
-if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
-  sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
-else
-  echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
-fi
+{{{ bash_sshd_remediation(
+    parameter="Ciphers",
+    value="aes256-ctr,aes192-ctr,aes128-ctr",
+    config_is_distributed=sshd_distributed_config,
+    rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
index b32003ca96ae..452e2c8e1d0f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
@@ -1,3 +1,4 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
 
   
     {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -27,7 +28,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$
     1
   
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml
index 384c5f6589fa..9301044fa185 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml
@@ -5,6 +5,8 @@
 {{%- else %}}
 {{%- set sshd_approved_ciphers = "aes256-ctr,aes192-ctr,aes128-ctr" %}}
 {{%- endif %}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -43,7 +45,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
   
@@ -56,7 +58,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml
index 24f56f81dea1..2ad614753576 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml
@@ -4,13 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{% set prefix_conf="^\s*KexAlgorithms\s*" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521",
              "diffie-hellman-group-exchange-sha256"]  %}}
-- name: "Configure sshd to use FIPS 140-2 approved key exchange algorithms"
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    line: 'KexAlgorithms {{{ kex_algos|join(",") }}}'
-    state: present
-    regexp: '{{{ prefix_conf }}}'
-    create: True
+{{% set approved_kex_algos = kex_algos|join(",") %}}
+{{{ ansible_sshd_set(parameter="KexAlgorithms", value=approved_kex_algos, config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh
index 155d76cd8a52..eda467ef544e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh
@@ -9,10 +9,5 @@ KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellm
 {{%- if 'ubuntu' in product %}}
 {{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}}
 {{%- else %}}
-
-if grep -q -P '^\s*KexAlgorithms\s+' /etc/ssh/sshd_config; then
-  sed -i "s/^\s*KexAlgorithms.*/KexAlgorithms ${KEX_ALGOS}/" /etc/ssh/sshd_config
-else
-  echo "KexAlgorithms ${KEX_ALGOS}" >> /etc/ssh/sshd_config
-fi
+{{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}}
 {{%- endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
index 59e39247137d..57adf654f1ca 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
@@ -7,7 +7,7 @@
              "diffie-hellman-group18-sha512"] %}}
 {{% set sufix_conf="(\s.*)?'" %}}
 {{% elif product in ['ol7', 'sle12', 'sle15', 'slmicro5', 'slmicro6'] %}}
-{{% set path='/etc/ssh/sshd_config' %}}
+{{% set path=sshd_main_config_file %}}
 {{% set prefix_conf="^\s*KexAlgorithms\s*" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521",
              "diffie-hellman-group-exchange-sha256"]  %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml
index ea32cfadeb56..52fbf0d0bbb3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml
@@ -3,6 +3,8 @@
 {{%- else %}}
 {{%- set sshd_approved_kexalgorithms = "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" %}}
 {{%- endif %}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("Limit the KexAlgorithms to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -41,7 +43,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
   
@@ -54,7 +56,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
index 90e59a76e962..54265ea53bc9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
@@ -5,11 +5,11 @@
              ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~
              ",diffie-hellman-group18-sha512'" %}}
 {{% elif product in ['ol7'] %}}
-{{% set path='/etc/ssh/sshd_config' %}}
+{{% set path=sshd_main_config_file %}}
 {{% set conf="KexAlgorithms ecdh-sha1-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~
              ",diffie-hellman-group-exchange-sha256"  %}}
 {{% elif product in ['sle12', 'sle15', 'slmicro5', 'slmicro6', 'ubuntu2204', 'ubuntu2404'] %}}
-{{% set path='/etc/ssh/sshd_config' %}}
+{{% set path=sshd_main_config_file %}}
 {{% set conf="KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~
              ",diffie-hellman-group-exchange-sha256"  %}}
 {{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
index 34025970a52f..6eee376dbf96 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
@@ -2,4 +2,8 @@
 
 {{{ bash_instantiate_variables("sshd_approved_macs") }}}
 
-{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "$sshd_approved_macs", '%s %s', cce_identifiers=cce_identifiers) }}}
+{{{ bash_sshd_remediation(
+    parameter="MACs",
+    value="$sshd_approved_macs",
+    config_is_distributed=sshd_distributed_config,
+    rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
index c87db511d054..ce8530423105 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
@@ -1,3 +1,4 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
 
   
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -46,7 +47,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1
   
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
index 0acefd7516c1..c3e236f2fcf6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
@@ -8,11 +8,5 @@
 {{{ ansible_instantiate_variables('sshd_approved_macs') }}}
 {{{ ansible_sshd_set(parameter="Macs", value="{{ sshd_approved_macs }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
 {{%- else %}}
-- name: "Configure sshd to use approved MACs"
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    line: 'MACs hmac-sha2-512,hmac-sha2-256'
-    state: present
-    regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
-    create: True
+{{{ ansible_sshd_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-256", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
 {{%- endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
index 0e0205a98818..83cb8cb6e1c9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro
 
-if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
-  sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
-else
-  echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
-fi
+{{{ bash_sshd_remediation(
+    parameter="MACs",
+    value="hmac-sha2-512,hmac-sha2-256",
+    config_is_distributed=sshd_distributed_config,
+    rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
index 1b4781ef43d1..158d94d30e2b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -1,3 +1,4 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
 
   
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -27,7 +28,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$
     1
   
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml
index cdef6cc539a6..25c618e5ae26 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml
@@ -5,6 +5,8 @@
 {{%- else %}}
 {{%- set sshd_approved_macs = "hmac-sha2-512,hmac-sha2-256" %}}
 {{%- endif %}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -43,7 +45,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
   
@@ -56,7 +58,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
index 9317b23992dc..91548a10db65 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
@@ -1,18 +1,21 @@
 # platform = multi_platform_all
 
-{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
-{{% set base_config = "/etc/ssh/sshd_config" -%}}
+{{% set base_config = sshd_main_config_file -%}}
+{{% set config_dir = sshd_config_dir -%}}
+{{% set target_file = config_dir ~ "/sshd_config_original.conf" -%}}
+{{% set include_directive = "Include " ~ config_dir ~ "/*.conf" -%}}
+{{% set include_regex = "^\\s*Include\\s+" ~ (config_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}}
 if test -f {{{ target_file}}}; then
 	{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
-elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then
+elif grep -Eq '{{{ include_regex }}}' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then
 	{{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}}
 else
-	mkdir -p /etc/ssh/sshd_config.d
+	mkdir -p {{{ config_dir }}}
 	mv {{{ base_config }}} {{{ target_file }}}
 cat > {{{ base_config }}} << EOF
 # To modify the system-wide sshd configuration, create a  *.conf  file under
-#  /etc/ssh/sshd_config.d/  which will be automatically included below
+#  {{{ config_dir }}}/  which will be automatically included below
 
-Include /etc/ssh/sshd_config.d/*.conf
+{{{ include_directive }}}
 EOF
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
index a0bf190007d0..055f63c20fd2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
@@ -1,4 +1,4 @@
-{{%- set config_path = "/etc/ssh/sshd_config" %}}
+{{%- set config_path = sshd_main_config_file %}}
 
 
   
@@ -26,4 +26,3 @@
   {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true, rule_id=rule_id) | indent (2) }}}
   {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+", rule_id=rule_id) | indent (2) }}}
 
-
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
index 9e097ca403a8..b47bab42117f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
@@ -1,3 +1,5 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 
   
     {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.", rule_title=rule_title) }}}
@@ -52,7 +54,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1
   
@@ -80,7 +82,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
index cefbd207730f..c50826514438 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
@@ -1,4 +1,5 @@
-{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
 {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
 
   
@@ -56,7 +57,7 @@
   
 
   
-    /etc/ssh/sshd_config
+    {{{ sshd_main_config }}}
     ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1
   
@@ -78,7 +79,7 @@
   
 
   
-    /etc/ssh/sshd_config.d
+    {{{ sshd_drop_in_dir }}}
     .*\.conf$
     ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
     1

From 586472b8d4078363313d32dd3cf9c58fea0c3bcc Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Mon, 23 Feb 2026 22:24:20 +0100
Subject: [PATCH 189/265] rules(ssh): parameterize ownership/permission checks
 for sshd config paths

Update SSH ownership, permissions, and existence rules to consume product-overridable SSH path variables.\n\nThis keeps rule intent unchanged while allowing products with non-standard sshd config layouts to reuse the same rules without patching content.
---
 .../ssh/directory_groupowner_sshd_config_d/rule.yml  | 12 ++++++------
 .../ssh/directory_owner_sshd_config_d/rule.yml       | 12 ++++++------
 .../ssh/directory_permissions_sshd_config_d/rule.yml | 12 ++++++------
 .../ssh/file_groupowner_sshd_config/rule.yml         | 12 ++++++------
 .../ssh/file_groupowner_sshd_drop_in_config/rule.yml | 12 ++++++------
 .../services/ssh/file_owner_sshd_config/rule.yml     | 12 ++++++------
 .../ssh/file_owner_sshd_drop_in_config/rule.yml      | 12 ++++++------
 .../ssh/file_permissions_sshd_config/rule.yml        | 12 ++++++------
 .../file_permissions_sshd_drop_in_config/rule.yml    | 12 ++++++------
 .../services/ssh/file_sshd_50_redhat_exists/rule.yml |  7 ++++---
 10 files changed, 58 insertions(+), 57 deletions(-)

diff --git a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml
index 9dd2ecc766b5..7c990240df3e 100644
--- a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml
+++ b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         gid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml
index 73713872c946..0d4dcc611827 100644
--- a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml
+++ b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         uid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml
index 6a50abb97e99..9496c6c0efc3 100644
--- a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml
+++ b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}}
+    {{{ describe_directory_permissions(directory=sshd_config_dir, perms="0700") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}'
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}'
 
 ocil: |-
-    {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}
+    {{{ ocil_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}
 
-fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+fixtext: '{{{ fixtext_directory_permissions(file=sshd_config_dir, mode="0700") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+srg_requirement: '{{{ srg_requirement_directory_permission(file=sshd_config_dir, mode="0700") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/ssh/sshd_config.d/
+        filepath: '{{{ sshd_config_dir }}}/'
         filemode: '0700'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
index f0ea9c5cf13d..4958f6caca25 100644
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server config file'
 
 description: |-
-    {{{ describe_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ describe_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -35,19 +35,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ ocil_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+fixtext: '{{{ fixtext_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         gid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml
index 5f1728ab2a8b..3fd050bca108 100644
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         gid_or_name: '0'
 
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
index 4fefa1a5a591..8eb4b1090351 100644
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server config file'
 
 description: |-
-    {{{ describe_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ describe_file_owner(file=sshd_main_config_file, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -35,19 +35,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ ocil_file_owner(file=sshd_main_config_file, owner="root") }}}
 
-fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+fixtext: '{{{ fixtext_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         uid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml
index f0832ad73e6b..bb0cf97aa84a 100644
--- a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -29,19 +29,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         uid_or_name: '0'
 
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
index f36678bf6753..d9d311f83a97 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server config file'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/ssh/sshd_config", perms="0600") }}}
+    {{{ describe_file_permissions(file=sshd_main_config_file, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -36,20 +36,20 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config", mode="0600") }}}'
+fixtext: '{{{ fixtext_file_permissions(file=sshd_main_config_file, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_main_config_file, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
         filepath:
-            - /etc/ssh/sshd_config
+            - '{{{ sshd_main_config_file }}}'
         filemode: '0600'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml
index 26a1815bce4d..0cfaa9f10f6b 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}}
+    {{{ describe_files_in_directory_permissions(directory=sshd_config_dir, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}
+    {{{ ocil_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+fixtext: '{{{ fixtext_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         filemode: '0600'
 
diff --git a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml
index ffa34166c034..db813093f611 100644
--- a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml
+++ b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml
@@ -1,9 +1,10 @@
+{{% set sshd_redhat_drop_in_file = sshd_config_dir ~ "/50-redhat.conf" %}}
 documentation_complete: true
 
-title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist'
+title: 'The File {{{ sshd_redhat_drop_in_file }}} Must Exist'
 
 description: |-
-    The /etc/ssh/sshd_config.d/50-redhat.conf file must exist as it contains important
+    The {{{ sshd_redhat_drop_in_file }}} file must exist as it contains important
     settings to secure SSH.
 
 
@@ -29,7 +30,7 @@ warnings:
 template:
     name: 'file_existence'
     vars:
-        filepath: '/etc/ssh/sshd_config.d/50-redhat.conf'
+        filepath: '{{{ sshd_redhat_drop_in_file }}}'
         exists: true
     backends:
         ansible: off

From 89e6f88460521d9bb5e5af15a62f413db4ad8121 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Mon, 23 Feb 2026 22:24:26 +0100
Subject: [PATCH 190/265] rules(crypto): make ssh sysconfig path
 product-overridable

Apply the new sshd_sysconfig_file product variable to rules that currently hardcode /etc/sysconfig/sshd.\n\nThis covers crypto-policy checks/remediations, strong-RNG guidance, and related file ownership/permission checks.\nDefault path stays /etc/sysconfig/sshd.
---
 .../ssh/ssh_server/sshd_use_strong_rng/rule.yml      | 11 ++++++-----
 .../file_groupowner_etc_sysconfig_sshd/rule.yml      | 12 ++++++------
 .../files/file_owner_etc_sysconfig_sshd/rule.yml     | 12 ++++++------
 .../file_permissions_etc_sysconfig_sshd/rule.yml     | 12 ++++++------
 .../configure_ssh_crypto_policy/ansible/shared.yml   |  2 +-
 .../configure_ssh_crypto_policy/bash/shared.sh       |  2 +-
 .../configure_ssh_crypto_policy/oval/shared.xml      |  3 ++-
 .../crypto/configure_ssh_crypto_policy/rule.yml      | 11 ++++++-----
 8 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
index b8240ae667a3..0b43a2b32b1a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set sshd_sysconfig = sshd_sysconfig_file %}}
 
 # TODO: The plan is not to need this for RHEL>=8.4
 # TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
@@ -6,7 +7,7 @@ documentation_complete: true
 title: 'SSH server uses strong entropy to seed'
 
 description: |-
-    To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file.
+    To set up SSH server to use entropy from a high-quality source, edit the {{{ sshd_sysconfig }}} file.
     The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so
     make sure that the file contains line
     
SSH_USE_STRONG_RNG=32

@@ -31,17 +32,17 @@ references:
 
 ocil: |-
     To determine whether the SSH service is configured to use strong entropy seed,
-    run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd

+    run 
$ sudo grep SSH_USE_STRONG_RNG {{{ sshd_sysconfig }}}

     If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
     then the option is set correctly.
 
 ocil_clause: |-
-    the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
+    the SSH_USE_STRONG_RNG is not set to 32 in {{{ sshd_sysconfig }}}
 
 fixtext: |-
     Configure the {{{ full_name }}} SSH server to use strong entropy.
 
-    Add or modify the following line in the "/etc/sysconfig/sshd" file.
+    Add or modify the following line in the "{{{ sshd_sysconfig }}}" file.
 
     SSH_USE_STRONG_RNG=32
 
@@ -55,7 +56,7 @@ warnings:
 template:
     name: shell_lineinfile
     vars:
-        path: '/etc/sysconfig/sshd'
+        path: '{{{ sshd_sysconfig }}}'
         parameter: 'SSH_USE_STRONG_RNG'
         value: '32'
         datatype: int
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml
index 6a57207cc9b5..09a5d5beac04 100644
--- a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Verify Group Who Owns /etc/sysconfig/sshd File'
 
-description: '{{{ describe_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}'
+description: '{{{ describe_file_group_owner(file=sshd_sysconfig_file, group="root") }}}'
 
 rationale: |-
     The /etc/sysconfig/sshd file contains configuration options for the SSH daemon.
@@ -14,19 +14,19 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-89268-7
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_sysconfig_file, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}
+    {{{ ocil_file_group_owner(file=sshd_sysconfig_file, group="root") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}'
+fixtext: '{{{ fixtext_file_group_owner(file=sshd_sysconfig_file, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_sysconfig_file, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/sysconfig/sshd
+        filepath: '{{{ sshd_sysconfig_file }}}'
         gid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml
index 64785d24ce67..758f6cc3dc7e 100644
--- a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Verify User Who Owns /etc/sysconfig/sshd File'
 
-description: '{{{ describe_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}'
+description: '{{{ describe_file_owner(file=sshd_sysconfig_file, owner="root") }}}'
 
 rationale: |-
     The /etc/sysconfig/sshd file contains configuration options for the SSH daemon.
@@ -14,19 +14,19 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-89269-5
 
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_sysconfig_file, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}
+    {{{ ocil_file_owner(file=sshd_sysconfig_file, owner="root") }}}
 
-fixtext: '{{{ fixtext_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}'
+fixtext: '{{{ fixtext_file_owner(file=sshd_sysconfig_file, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_sysconfig_file, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/sysconfig/sshd
+        filepath: '{{{ sshd_sysconfig_file }}}'
         uid_or_name: '0'
 
 platform: system_with_kernel
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml
index 156efad15e09..fab349e834b8 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on /etc/sysconfig/sshd File'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/sysconfig/sshd", perms="0640") }}}
+    {{{ describe_file_permissions(file=sshd_sysconfig_file, perms="0640") }}}
 
 rationale: |-
     The /etc/sysconfig/sshd file contains configuration options for the SSH daemon.
@@ -15,19 +15,19 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-89270-3
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}}
+    {{{ ocil_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}}
 
-fixtext: '{{{ fixtext_file_permissions(file="/etc/sysconfig/sshd", mode="0640") }}}'
+fixtext: '{{{ fixtext_file_permissions(file=sshd_sysconfig_file, mode="0640") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/sysconfig/sshd", mode="0640") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_sysconfig_file, mode="0640") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/sysconfig/sshd
+        filepath: '{{{ sshd_sysconfig_file }}}'
         filemode: '0640'
         allow_stricter_permissions: "true"
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
index cfbff70b845c..65dccf57d6e7 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
@@ -6,6 +6,6 @@
 
 - name: "{{{ rule_title }}}"
   ansible.builtin.lineinfile:
-    dest: /etc/sysconfig/sshd
+    dest: '{{{ sshd_sysconfig_file }}}'
     state: absent
     regexp: (?i)^\s*CRYPTO_POLICY.*$
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
index 2a04f5ea6bc0..8066e15c264a 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
@@ -1,5 +1,5 @@
 # platform = multi_platform_all
 
-SSH_CONF="/etc/sysconfig/sshd"
+SSH_CONF="{{{ sshd_sysconfig_file }}}"
 
 sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
index e51181528eb3..0265d746b9ab 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
@@ -1,3 +1,4 @@
+{{%- set sshd_sysconfig = sshd_sysconfig_file -%}}
 
   
     {{{ oval_metadata("SSH should be configured to use the system-wide crypto policy setting.", rule_title=rule_title) }}}
@@ -14,7 +15,7 @@
   
 
   
-    /etc/sysconfig/sshd
+    {{{ sshd_sysconfig }}}
     ^\s*(?i)CRYPTO_POLICY\s*=.*$
     1
   
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index 7e722ab1170f..ccd2d2b2b5e5 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set sshd_sysconfig = sshd_sysconfig_file %}}
 
 
 title: 'Configure SSH to use System Crypto Policy'
@@ -9,7 +10,7 @@ description: |-
     set up to ignore it.
     To check that Crypto Policies settings are configured correctly, ensure that
     the CRYPTO_POLICY variable is either commented or not set at all
-    in the /etc/sysconfig/sshd.
+    in the {{{ sshd_sysconfig }}}.
 
 rationale: |-
     Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
@@ -34,23 +35,23 @@ references:
     srg: SRG-OS-000250-GPOS-00093
     stigid@ol8: OL08-00-010287
 
-ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd'
+ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in {{{ sshd_sysconfig }}}'
 
 ocil: |-
     Verify that sshd isn't configured to ignore the system wide cryptographic policy.
 
     Check that the CRYPTO_POLICY variable is not set or is commented out in the
-    /etc/sysconfig/sshd.
+    {{{ sshd_sysconfig }}}.
 
     Run the following command:
 
-    $ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
+    $ sudo grep CRYPTO_POLICY {{{ sshd_sysconfig }}}
 
 fixtext: |-
     Configure OpenSSH to not ignore the system wide cryptographic policy.
     Run the following command:
 
-    $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" /etc/sysconfig/sshd
+    $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" {{{ sshd_sysconfig }}}
 
 srg_requirement: |-
     {{{ full_name }}} must implement approved encryption in the OpenSSH package.

From c1af8d7ca2593d69845d0d5f23f0926e27f9e4b7 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Tue, 24 Feb 2026 21:24:54 +0100
Subject: [PATCH 191/265] tests(stability): add SSH path properties to product
 references

---
 tests/data/product_stability/alinux2.yml      | 5 +++++
 tests/data/product_stability/alinux3.yml      | 5 +++++
 tests/data/product_stability/anolis23.yml     | 5 +++++
 tests/data/product_stability/anolis8.yml      | 5 +++++
 tests/data/product_stability/debian11.yml     | 5 +++++
 tests/data/product_stability/debian12.yml     | 5 +++++
 tests/data/product_stability/debian13.yml     | 5 +++++
 tests/data/product_stability/eks.yml          | 5 +++++
 tests/data/product_stability/example.yml      | 5 +++++
 tests/data/product_stability/fedora.yml       | 5 +++++
 tests/data/product_stability/firefox.yml      | 5 +++++
 tests/data/product_stability/ocp4.yml         | 5 +++++
 tests/data/product_stability/ol7.yml          | 5 +++++
 tests/data/product_stability/ol8.yml          | 5 +++++
 tests/data/product_stability/ol9.yml          | 5 +++++
 tests/data/product_stability/openembedded.yml | 5 +++++
 tests/data/product_stability/opensuse.yml     | 5 +++++
 tests/data/product_stability/rhcos4.yml       | 5 +++++
 tests/data/product_stability/rhel10.yml       | 5 +++++
 tests/data/product_stability/rhel8.yml        | 5 +++++
 tests/data/product_stability/rhel9.yml        | 5 +++++
 tests/data/product_stability/rhv4.yml         | 5 +++++
 tests/data/product_stability/sle12.yml        | 5 +++++
 tests/data/product_stability/sle15.yml        | 5 +++++
 tests/data/product_stability/ubuntu2204.yml   | 5 +++++
 tests/data/product_stability/ubuntu2404.yml   | 5 +++++
 26 files changed, 130 insertions(+)

diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index 5c49951cfdfc..0722865b0d46 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -87,7 +87,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index 6a3f6906a444..cba2bf2f34e7 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -87,7 +87,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index a75b269f7a1d..f9689aaf8237 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -86,7 +86,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index 3718ddc46c3e..e643aa9311c8 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -86,7 +86,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index e158e949bf47..e05dfb4aedce 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -96,7 +96,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 4433efbfa427..8306137e9b8a 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -98,7 +98,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index f396cebdb375..04738e3a3f61 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -98,7 +98,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index 749fc432b180..6ef528ecaf95 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -94,7 +94,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index 14d69b7c198f..53324adda77d 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -88,7 +88,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index d0885a22d8ad..a88dae3b8f08 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -132,7 +132,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index 23f9456dbaf5..80ae32c4a49f 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -83,7 +83,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index b0f8c5866d48..a2d25472d7fe 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -194,7 +194,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index 4d692ffb7ca5..db78aa4b6942 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -98,7 +98,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 42144123FECFC55B9086313D72F97B74EC551F03
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index f3ac4181da82..150eeb532ad7 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -67,7 +67,12 @@ reference_uris: {anssi: 'https://cyber.gouv.fr/sites/default/files/document/linu
   stigref: 'https://www.cyber.mil/stigs/srg-stig-tools/'}
 release_key_fingerprint: 76FD3DB13AB67410B89DB10E82562EA9AD986DA3
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version: [5, 11]
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index 1bf88e99cfd9..d3422a65d70b 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -70,7 +70,12 @@ reference_uris: {anssi: 'https://cyber.gouv.fr/sites/default/files/document/linu
   stigref: 'https://www.cyber.mil/stigs/srg-stig-tools/'}
 release_key_fingerprint: 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version: [5, 11]
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index 344874dfc136..602e443be6c3 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -99,7 +99,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index 9174e81bd4df..e1ce92ccdae1 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -95,7 +95,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index ccb1445bee05..612a90c8ea9e 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -92,7 +92,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'true'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
index 1e96007149d5..56f541493d9d 100644
--- a/tests/data/product_stability/rhel10.yml
+++ b/tests/data/product_stability/rhel10.yml
@@ -102,7 +102,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index 519c9ece1ffb..869f366f3c5f 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -149,7 +149,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index 6e23814da258..acaaf0e4a45e 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -106,7 +106,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 18a495e60dde..4ad5097c8256 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -97,7 +97,12 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index fd1c6c58f621..5a49e2cb5449 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -97,7 +97,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index df80c5c692d4..d98d61efdce0 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -103,7 +103,12 @@ reference_uris:
   suse-general: not_publicly_available
 release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'false'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index 7010b1dae93a..7278eeec5f5a 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -106,7 +106,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 9918311b1913..26934d9dbdf0 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -107,7 +107,12 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
+sshd_config_base_dir: /etc/ssh
+sshd_config_dir: /etc/ssh/sshd_config.d
 sshd_distributed_config: 'true'
+sshd_hardening_config_basename: 00-complianceascode-hardening.conf
+sshd_main_config_file: /etc/ssh/sshd_config
+sshd_sysconfig_file: /etc/sysconfig/sshd
 sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:

From 86a1b6693c0056747d42af85a0e47ddbb8c62c9a Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE 
Date: Tue, 24 Feb 2026 21:48:47 +0100
Subject: [PATCH 192/265] docs(macros): reference SSH path variables in
 ansible_sshd_set documentation

---
 shared/macros/10-ansible.jinja | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 3113bf55e701..b69baf93226e 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -198,7 +198,7 @@ value: :code:`Setting={{ varname1 }}`
   (but case-sensitive values). We also specify the validation program here;
   -t specifies test and -f allows Ansible to pass a file at a different path.
 
-  Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/
+  Set a parameter in ``sshd_main_config_file`` or ``sshd_config_dir``.
 
 :parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead
 :type msg: str
@@ -206,7 +206,7 @@ value: :code:`Setting={{ varname1 }}`
 :type parameter: str
 :parameter value: The value to set
 :type value: str
-:parameter config_is_distributed: If true, will ok look in /etc/ssh/sshd_config.d
+:parameter config_is_distributed: If true, use ``sshd_config_dir`` for configuration
 :type config_is_distributed: str
 :parameter config_basename: Filename of configuration file when using distributed configuration
 :type config_basename: str

From 67891ca5c98e237aaad5c49e598261961e67cfcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 25 Feb 2026 11:15:56 +0100
Subject: [PATCH 193/265] Set rpm crypto only if rpm scope exists

Setting a crypto policy for RPM is possible only if the crypto-policies
package provides the `rpm-sequoia` scope. This scope is new in RHEL 9.7
and doesn't exist in older minor versions of RHEL 9. If the `rpm-sequoia`
scope isn't present in crypto-policies, the `update-crypto-policies`
command fails to set the `NO-RPMSHA1` custom crypto policy module.
That causes multiple problems, namely termination of the profile Ansible
Playbook for CIS profiles.

We will fix the problem by first checking if the `rpm-sequoia` scope
exists and we will define the `NO-RPMSHA1` custom crypto policy module
only if the scope exists.

Addressing:
```
{"changed": true, "cmd": ["update-crypto-policies", "--set", "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC:NO-RPMSHA1"], "delta": "0:00:00.070451", "end": "2026-02-16 19:47:56.444333", "msg": "non-zero return code", "rc": 1, "start": "2026-02-16 19:47:56.373882", "stderr": "ScopeUnknownError: Unknown scope rpm\nErrors found in policy, first one: \nunknown scope rpm", "stderr_lines": ["ScopeUnknownError: Unknown scope rpm", "Errors found in policy, first one: ", "unknown scope rpm"], "stdout": "", "stdout_lines": []}
```
---
 .../rule.yml                                  |  3 ++-
 .../crypto_sub_policies/ansible.template      | 25 +++++++++++++++++--
 .../crypto_sub_policies/bash.template         | 18 ++++++++++---
 .../crypto_sub_policies/oval.template         | 21 +++++++++++++++-
 .../templates/crypto_sub_policies/template.py |  3 ---
 5 files changed, 59 insertions(+), 11 deletions(-)
 delete mode 100644 shared/templates/crypto_sub_policies/template.py

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
index b80f01777048..72387b459f09 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
@@ -52,7 +52,8 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark
     {
         "module_name": "NO-RPMSHA1",
         "key": "hash@rpm",
-        "value": "-SHA1"
+        "value": "-SHA1",
+        "scope": "rpm-sequoia"
     },
 ] %}}
 {{% elif product == "rhel10" or product == "fedora" %}}
diff --git a/shared/templates/crypto_sub_policies/ansible.template b/shared/templates/crypto_sub_policies/ansible.template
index 688b681a97bd..7152802d1b50 100644
--- a/shared/templates/crypto_sub_policies/ansible.template
+++ b/shared/templates/crypto_sub_policies/ansible.template
@@ -4,7 +4,18 @@
 # complexity = low
 # disruption = low
 
+-   name: "{{{ rule_title }}} - Set the base crypto policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{{ BASE_POLICY }}}"
+
 {{% for sub_policy in SUB_POLICIES %}}
+{{% if "scope" in sub_policy %}}
+-   name: "{{{ rule_title }}} - Check That /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config Exists"
+    ansible.builtin.stat:
+        path: /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config
+    register: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope
+{{% endif %}}
+
 -   name: "{{{ rule_title }}} - Create custom crypto policy module {{{ sub_policy.module_name }}}"
     ansible.builtin.lineinfile:
         path: /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
@@ -14,6 +25,16 @@
         line: {{{ sub_policy.key }}} = {{{ sub_policy.value }}}
         create: true
         regexp: "{{{ sub_policy.key }}}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
+
+-   name: "{{{ rule_title }}} - Update the expected policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{ expected_crypto_policy + ':{{{ sub_policy.module_name }}}' }}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
 {{% endfor %}}
 
 -   name: "{{{ rule_title }}} - Check current crypto policy"
@@ -24,5 +45,5 @@
     check_mode: false
 
 -   name: "{{{ rule_title }}} - Update crypto-policies"
-    ansible.builtin.command: update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}
-    when: current_crypto_policy.stdout.strip() != "{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+    ansible.builtin.command: update-crypto-policies --set {{ expected_crypto_policy }}
+    when: current_crypto_policy.stdout.strip() != expected_crypto_policy
diff --git a/shared/templates/crypto_sub_policies/bash.template b/shared/templates/crypto_sub_policies/bash.template
index e8915cb3daf3..685e90e54846 100644
--- a/shared/templates/crypto_sub_policies/bash.template
+++ b/shared/templates/crypto_sub_policies/bash.template
@@ -4,12 +4,22 @@
 # complexity = low
 # disruption = low
 
-{{% for sub_policy in SUB_POLICIES %}}
-{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) }}}
-{{% endfor %}}
+expected_crypto_policy="{{{ BASE_POLICY }}}"
+
+{{% for sub_policy in SUB_POLICIES -%}}
+{{% if "scope" in sub_policy %}}
+# this module is applicable only if {{{ sub_policy.scope }}} scope is available in crypto-policies
+if [[ -f /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config ]] ; then
+{{%- endif %}}
+expected_crypto_policy="${expected_crypto_policy}:{{{ sub_policy.module_name }}}"
+{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) | trim }}}
+{{% if "scope" in sub_policy -%}}
+fi
+{{% endif %}}
+{{%- endfor %}}
 
 current_crypto_policy=$(update-crypto-policies --show)
-expected_crypto_policy="{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+
 if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
     update-crypto-policies --set "$expected_crypto_policy"
 fi
diff --git a/shared/templates/crypto_sub_policies/oval.template b/shared/templates/crypto_sub_policies/oval.template
index 272ae6ee31df..b45e533287a9 100644
--- a/shared/templates/crypto_sub_policies/oval.template
+++ b/shared/templates/crypto_sub_policies/oval.template
@@ -3,8 +3,18 @@
         {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}}
         
         {{% for sub_policy in SUB_POLICIES %}}
-            
+                    
+                    
+                        
+                        
+                    
+                
+            {{% else %}}
+                
+            {{% endif %}}
         {{% endfor %}}
         
     
@@ -21,5 +31,14 @@
             ^{{{ sub_policy.key }}} = {{{ sub_policy.value | escape_regex }}}$
             1
         
+        {{% if "scope" in sub_policy %}}
+            
+                
+            
+
+            
+                /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config
+            
+        {{% endif %}}
         {{% endfor %}}
 
diff --git a/shared/templates/crypto_sub_policies/template.py b/shared/templates/crypto_sub_policies/template.py
deleted file mode 100644
index 8e256ae08291..000000000000
--- a/shared/templates/crypto_sub_policies/template.py
+++ /dev/null
@@ -1,3 +0,0 @@
-def preprocess(data, lang):
-    data["configure_crypto_policy_modules"] = ":".join([sub_policy["module_name"] for sub_policy in data["sub_policies"]])
-    return data

From 24960975bf3365c1c852c803e7488f57d2b22221 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 25 Feb 2026 13:53:30 +0100
Subject: [PATCH 194/265] Fix a broken link

I can't find the original content that the link pointed to.
I think the content wasn't so important, so I will remove it.
---
 .../gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
index 4f228f0c3a4a..ac8e9953350d 100644
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
@@ -11,9 +11,7 @@ title: 'Disable XDMCP in GDM'
 {{% endif %}}
 
 description: |-
-    XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
-    {{{ weblink("https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity", "XDMCP Gnome docs") }}}.
-
+    XDMCP is an unencrypted protocol, and therefore, presents a security risk.
     To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in {{{ gdm_conf_path }}}. For example:
     
     [xdmcp]

From 9fba127e4443de563bbcfbff61543ad0f8c054c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 25 Feb 2026 15:12:34 +0100
Subject: [PATCH 195/265] Fix variable selections for rule
 dconf_gnome_login_banner_text

---
 controls/cis_ubuntu2404.yml                                   | 2 +-
 controls/general_sle15.yml                                    | 2 +-
 controls/stig_ol9.yml                                         | 2 +-
 controls/stig_ubuntu2204.yml                                  | 2 +-
 products/rhel9/controls/cis_rhel9.yml                         | 4 ++--
 tests/data/profile_stability/rhel9/cis.profile                | 4 ++--
 tests/data/profile_stability/rhel9/cis_server_l1.profile      | 4 ++--
 tests/data/profile_stability/rhel9/cis_workstation_l1.profile | 4 ++--
 tests/data/profile_stability/rhel9/cis_workstation_l2.profile | 4 ++--
 9 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 9c18ee8621ce..d4e1dfde39c3 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -561,7 +561,7 @@ controls:
           - l1_server
           - l1_workstation
       rules:
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
index 1acede4d2700..f637cbbd87d4 100644
--- a/controls/general_sle15.yml
+++ b/controls/general_sle15.yml
@@ -538,7 +538,7 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_default
+          - dconf_login_banner_text=cis_default
           - dconf_login_banner_contents=cis_default
 
     - id: SLES-15-151200135
diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
index 3174c8d1a62b..1e0f2d1511f8 100644
--- a/controls/stig_ol9.yml
+++ b/controls/stig_ol9.yml
@@ -1973,7 +1973,7 @@ controls:
           or remote access to the system via a graphical user logon.
       rules:
           - dconf_gnome_login_banner_text
-          - login_banner_text=dod_default
+          - dconf_login_banner_text=dod_default
           - dconf_login_banner_contents=dod_default
 
     - id: OL09-00-002122
diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index 851d2f664d0c..c830866ac571 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -654,7 +654,7 @@ controls:
       levels:
           - medium
       rules:
-          - login_banner_text=dod_banners
+          - dconf_login_banner_text=dod_banners
           - dconf_login_banner_contents=dod_default
           - dconf_gnome_login_banner_text
       status: automated
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index 1878a8587286..cdcf1807ad14 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -690,8 +690,8 @@ controls:
       rules:
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
-          - login_banner_text=cis_banners
-          - login_banner_contents=cis_default
+          - dconf_login_banner_text=cis_banners
+          - dconf_login_banner_contents=cis_default
 
     - id: 1.8.3
       title: Ensure GDM disable-user-list option is enabled (Automated)
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 80d8bf1fe71d..c89accc931d2 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
@@ -254,8 +256,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_contents=cis_default
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index b0fe97a998ef..d40f3e2d8255 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -57,6 +57,8 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 enable_authselect
@@ -165,8 +167,6 @@ kernel_module_hfs_disabled
 kernel_module_hfsplus_disabled
 kernel_module_jffs2_disabled
 kernel_module_usb-storage_disabled
-login_banner_contents=cis_default
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index 79ff5989d0a0..17ffd016a562 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -55,6 +55,8 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 enable_authselect
@@ -162,8 +164,6 @@ kernel_module_freevxfs_disabled
 kernel_module_hfs_disabled
 kernel_module_hfsplus_disabled
 kernel_module_jffs2_disabled
-login_banner_contents=cis_default
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index 3db1a26a5d2f..68a56c55311d 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay
 dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
+dconf_login_banner_contents=cis_default
+dconf_login_banner_text=cis_banners
 dir_perms_world_writable_sticky_bits
 directory_permissions_var_log_audit
 disable_host_auth
@@ -254,8 +256,6 @@ kernel_module_squashfs_disabled
 kernel_module_tipc_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
-login_banner_contents=cis_default
-login_banner_text=cis_banners
 mount_option_dev_shm_nodev
 mount_option_dev_shm_noexec
 mount_option_dev_shm_nosuid

From ffe160a6e6a12e5332a12c17f60777b89e604182 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 25 Feb 2026 15:13:04 +0100
Subject: [PATCH 196/265] Fix SUSE content to be aligned with RHEL content

---
 .../accounts-banners/banner_etc_issue/ansible/shared.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index 4136c8e028dc..c1f5e665bf57 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -19,7 +19,7 @@
 - name: "{{{ rule_title }}} - Ensure Correct Banner"
   ansible.builtin.copy:
     dest: /etc/issue.d/99-oscap-setting
-    content: "{{ login_banner_contents }}\n"
+    content: "{{ login_banner_contents | replace('\\n', '\n') }}\n"
 
 - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change"
   ansible.builtin.systemd:

From 07d403e568c2d459d44236217bebac5623087875 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 07:53:15 +0200
Subject: [PATCH 197/265] Make sure oval checks and remediations cover the case
 where default sshd config is in /usr subdir

Add macros for ansible, bash and oval to check and set sshd config parameters for case where config can be both in /usr and /etc
---
 shared/macros/10-ansible.jinja | 117 ++++++++++++++++++++++++++
 shared/macros/10-bash.jinja    |  50 +++++++++++
 shared/macros/10-oval.jinja    | 147 +++++++++++++++++++++++++++++++++
 3 files changed, 314 insertions(+)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index fe432b975fc5..7347a88c6775 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -2387,3 +2387,120 @@ lines will be inserted at the beginning of the profile.
   ansible.builtin.command: dconf update
   when: dconf_user_profile_blockinfile is changed
 {{%- endmacro -%}}
+
+
+{{#
+
+    Set a sshd configuration parameter to a value for system with /usr - located default config 
+
+:parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead
+:type msg: str
+:parameter parameter: Parameter to set
+:type parameter: str
+:parameter value: The value to set
+:type value: str
+:param copy_defaults: If true default sshd configuration in /usr/etc/ssh/sshd_config will be
+copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist
+:type copy_defaults: bool
+:parameter config_basename: drop-in filename of sshd configuration file
+:type config_basename: str
+
+#}}
+{{%- macro ansible_sshd_set_usr(msg='', parameter='', value='', copy_defaults=true, config_basename="00-complianceascode-hardening.conf", rule_title=None) %}}
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" %}}
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}}
+{{%- set ssh_paths = ['/etc/ssh/sshd_config.d', '/usr/etc/ssh/sshd_config.d'] -%}}
+{{%- set config_file = "/etc/ssh/sshd_config.d/" ~ config_basename -%}}
+{{%- set new_line = parameter + ' ' + value -%}}
+{{%- set line_regex = "(?i)^\s*" + "{{ \"" + parameter + "\"| regex_escape }}" + "\s+" -%}}
+{{%- set dir_parameter = "sshd_config_d_has_parameter" -%}}
+{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
+
+- name: Copy default {{{ sshd_usr_config_path }}} to {{{ sshd_config_path }}}
+  ansible.builtin.copy:
+    src: {{{ sshd_usr_config_path }}}
+    dest: {{{ sshd_config_path }}}
+    force: no
+    mode: '0600'
+- name: {{{ rule_title }}} - Check if the parameter {{{ parameter }}} is configured in sshd configuration(s)
+  ansible.builtin.find:
+    paths:
+    - '/etc/ssh'
+    - '/usr/etc/ssh'
+    - {{{ sshd_config_dir }}}
+    - {{{ sshd_usr_config_dir }}}
+    contains: {{{ line_regex }}}
+    patterns:
+    - '*.conf'
+    - 'sshd_config'
+  register: _sshd_config_has_parameter
+- name: {{{ rule_title }}} - Check if the parameter {{{ parameter }}} is configured correctly in sshd configuration(s)
+  ansible.builtin.find:
+    paths:
+    - '/etc/ssh'
+    - '/usr/etc/ssh'
+    - {{{ sshd_config_dir }}}
+    - {{{ sshd_usr_config_dir }}}
+    contains: {{{ line_regex ~ value ~ "$" }}}
+    patterns:
+    - '*.conf'
+    - 'sshd_config'
+  register: _sshd_config_correctly
+- name: '{{{ msg or rule_title }}}'
+  block:
+    {{{ ansible_lineinfile(
+            "Deduplicate values from " + sshd_config_path,
+            sshd_config_path,
+            regex=line_regex,
+            insensitive='false',
+            create='no',
+            state='absent')|indent }}}
+    {{{ ansible_lineinfile(
+            "Deduplicate values from " + sshd_usr_config_path,
+            sshd_usr_config_path,
+            regex=line_regex,
+            insensitive='false',
+            create='no',
+            state='absent')|indent }}}
+    - name: "Check if the parameter {{{ parameter }}} is present in {{{ sshd_config_dir }}} and in {{{ sshd_usr_config_dir }}}"
+      ansible.builtin.find:
+        paths: {{{ ssh_paths }}}
+        recurse: 'yes'
+        follow: 'no'
+        contains: '(?i)^\s*{{ "{{{ parameter }}}"| regex_escape }}\s+'
+      register: {{{ dir_parameter }}}
+    {{{ ansible_lineinfile(
+            "Remove parameter from files in " + sshd_config_dir,
+            path="{{ item.path }}",
+            regex=line_regex,
+            state="absent",
+            with_items=lineinfile_items)|indent}}}
+    {{{ ansible_lineinfile(
+            "Remove parameter from files in " + sshd_usr_config_dir,
+            path="{{ item.path }}",
+            regex=line_regex,
+            state="absent",
+            with_items=lineinfile_items)|indent }}}
+    {{{ ansible_lineinfile(
+            "Insert correct line to " + config_file,
+            config_file,
+            regex=line_regex,
+            insensitive='false',
+            new_line=new_line,
+            create='yes',
+            state='present',
+            validate='/usr/sbin/sshd -t -f %s',
+            insert_after='',
+            insert_before="BOF" )|indent }}}
+  when: _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
+
+- name: {{{ rule_title }}} - set file mode for {{{ config_file }}}
+  ansible.builtin.file:
+    path: {{{ config_file }}}
+    mode: '0600'
+    state: touch
+    modification_time: preserve
+    access_time: preserve
+{{%- endmacro %}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 8bcd4bec988c..9d8a759e3b01 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2748,3 +2748,53 @@ This macro creates a Bash conditional which checks the system architecture in /p
 {{%- macro bash_arch_conditional(arch) -%}}
 ( grep -sqE "^.*\.{{{ arch }}}$" /proc/sys/kernel/osrelease || grep -sqE "^{{{ arch }}}$" /proc/sys/kernel/arch; )
 {{%- endmacro -%}}
+
+
+{{#
+    Set a sshd configuration parameter to a value for system with default configuration in /usr subdir 
+
+:parameter parameter: Parameter to set
+:type parameter: str
+:parameter value: The value to set
+:type value: str
+:param copy_defaults: If true default sshd configuration in /usr/etc/ssh/sshd_config will be
+copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist
+:type copy_defaults: bool
+:parameter config_basename: drop-in filename of sshd configuration file
+:type config_basename: str
+
+#}}
+{{% macro bash_sshd_remediation_usr(parameter, value, copy_defaults="true", config_basename="00-complianceascode-hardening.conf", rule_id=None) -%}}
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" %}}
+{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}}
+{{%- set prefix_regex = "^\s*" -%}}
+{{%- set separator_regex = "\s\+" -%}}
+{{%- set hardening_config_basename = config_basename %}}
+{{%- set line_regex = prefix_regex ~ parameter ~ separator_regex %}}
+
+if ! [ -e "{{{ sshd_config_path }}}" ] ; then
+    cp "{{{ sshd_usr_config_path }}}" "{{{ sshd_config_path }}}"
+fi
+
+mkdir -p {{{ sshd_config_dir }}}
+touch {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}}
+chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}}
+{{{ lineinfile_absent(sshd_config_path, line_regex, insensitive=true, rule_id=rule_id) }}}
+{{{ lineinfile_absent_in_directory(sshd_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}}
+{{{ lineinfile_absent(sshd_usr_config_path, line_regex, insensitive=true, rule_id=rule_id) }}}
+{{{ lineinfile_absent_in_directory(sshd_usr_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}}
+{{{ set_config_file(
+        path=sshd_config_dir ~ "/" ~ hardening_config_basename,
+        parameter=parameter,
+        value=value,
+        create=true,
+        insert_after="",
+        insert_before="BOF",
+        insensitive=true,
+        separator=" ",
+        separator_regex=separator_regex,
+        prefix_regex=prefix_regex, rule_id=rule_id)
+    }}}
+{{%- endmacro %}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 6466728189db..a755d21e0593 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1878,3 +1878,150 @@ Macro generates an OVAL test definition to verify that a specified audit tool is
   
 
 {{%- endmacro -%}}
+
+
+{{#
+    Create a full OVAL check for an sshd parameter and value in /etc/ssh/sshd_config or /usr/etc/ssh/sshd_config.
+    Including /etc/ssh/sshd_config.d/*.conf and /usr/etc/ssh/sshd_config.d/*.conf (default on SUSE Linux Enterprise Server 16)
+
+:param parameter: Parameter to check
+:type parameter: str
+:param value: Value to check
+:type value: str
+:param missing_parameter_pass: If true, the check will pass if the parameter missing.
+:type missing_parameter_pass: bool
+:param xccdf_variable: the name of an XCCDF variable carrying the value, this conflicts with the value parameter
+:type xccdf_variable: str
+:param datatype: a data type of the value
+:type datatype: str
+
+#}}
+{{%- macro sshd_oval_check_usr(parameter, value, missing_parameter_pass, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" -%}}
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}}
+{{%- if xccdf_variable -%}}
+{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
+{{%- else -%}}
+{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path -%}}
+{{%- endif -%}}
+{{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
+{{%- set description = description  ~ " or in " ~ sshd_usr_config_path -%}}
+{{%- set description = description  ~ " or in " ~ sshd_usr_config_dir -%}}
+{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
+
+
+  
+   {{{ oval_metadata(description, rule_title=rule_title) }}}
+   
+     
+        
+        
+     
+     
+        
+        
+        
+        
+          
+            
+              {{{ oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{{ oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{{ oval_line_in_file_criterion(sshd_usr_config_dir, parameter, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent(12) }}}
+            
+            {{%- if not missing_parameter_pass -%}}
+            
+            {{%- endif -%}}
+          
+        
+      
+      
+        
+        
+        
+        
+          
+            
+              {{{ oval_line_in_file_criterion(sshd_usr_config_path, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_path") | indent(12)}}}
+              {{{ oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{{ oval_line_in_file_criterion(sshd_usr_config_dir, parameter, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent(12) }}}
+            
+            {{%- if not missing_parameter_pass -%}}
+            
+            {{%- endif -%}}
+          
+        
+      
+    
+  
+
+  {{{ oval_config_file_exists_test(sshd_config_path, rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object(sshd_config_path, rule_id=rule_id) }}}
+
+  {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}}
+
+  {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}}
+  {{%- if xccdf_variable -%}}
+  {{{ oval_line_in_file_define_variable(xccdf_variable, datatype) }}}
+  {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype, rule_id=rule_id) }}}
+  {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_file_state_xccdf_variable(var_name=xccdf_variable, datatype=datatype, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}}
+  {{{ oval_line_in_file_state_xccdf_variable(var_name=xccdf_variable, datatype=datatype, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}}
+  {{%- else -%}}
+  {{{ oval_line_in_file_state(value, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_directory_state(value, rule_id=rule_id) | indent (2) }}}
+  {{{ oval_line_in_file_state(value, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}}
+  {{{ oval_line_in_file_state(value, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}}
+  {{%- endif -%}}
+
+  {{{ oval_line_in_file_test(sshd_usr_config_path, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}}
+  {{{ oval_line_in_file_object(sshd_usr_config_path, parameter=parameter, id_stem=rule_id ~ "_sshd_usr_config_path", ** case_insensitivity_kwargs)| indent (2) }}}
+  {{{ oval_line_in_file_test(sshd_usr_config_dir, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}}
+  {{{ oval_line_in_file_object(sshd_usr_config_dir, parameter=parameter, filename_regex=".*\.conf$", id_stem=rule_id ~ "_sshd_usr_config_dir", ** case_insensitivity_kwargs) | indent (2) }}}
+
+  {{%- if not missing_parameter_pass -%}}
+  
+    
+      
+        obj_{{{ rule_id }}}
+        obj_{{{ rule_id }}}_config_dir
+      
+      
+        obj_{{{ rule_id }}}_sshd_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      
+        obj_{{{ rule_id }}}_config_dir
+      
+      
+        obj_{{{ rule_id }}}_sshd_usr_config_path
+        obj_{{{ rule_id }}}_sshd_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+  {{%- endif -%}}
+
+{{%- endmacro -%}}

From d094607042fa5635d41f5828622ed88b05bb7593 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 07:57:04 +0200
Subject: [PATCH 198/265] Use the new macros in sshd lineinfile context

---
 .../sshd_lineinfile/ansible.template          | 53 +++++++++++++-----
 .../templates/sshd_lineinfile/bash.template   | 18 +++++--
 .../templates/sshd_lineinfile/oval.template   | 54 +++++++++++++++++--
 .../templates/sshd_lineinfile/tests/common.sh |  9 +++-
 .../tests/correct_value_directory.pass.sh     |  3 +-
 .../correct_value_usr_config_dir.pass.sh      |  9 ++++
 .../correct_value_usr_config_path.pass.sh     | 13 +++++
 .../tests/duplicated_param.pass.sh            |  9 ++--
 .../tests/duplicated_param_directory.pass.sh  | 11 ++--
 .../tests/line_not_there.fail.sh              |  5 ++
 .../tests/param_conflict_directory.fail.sh    |  2 +-
 ...param_conflict_file_with_directory.fail.sh |  2 +-
 .../tests/wrong_value_directory.fail.sh       |  2 +-
 .../tests/wrong_value_usr_config_dir.fail.sh  | 14 +++++
 .../tests/wrong_value_usr_config_path.fail.sh | 16 ++++++
 15 files changed, 185 insertions(+), 35 deletions(-)
 create mode 100644 shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh
 create mode 100644 shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh
 create mode 100644 shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh
 create mode 100644 shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh

diff --git a/shared/templates/sshd_lineinfile/ansible.template b/shared/templates/sshd_lineinfile/ansible.template
index a5a1f2302d7b..0739450cdf24 100644
--- a/shared/templates/sshd_lineinfile/ansible.template
+++ b/shared/templates/sshd_lineinfile/ansible.template
@@ -6,19 +6,44 @@
 
 {{% if XCCDF_VARIABLE %}}
 {{{ ansible_instantiate_variables(XCCDF_VARIABLE) }}}
-{{{
-    ansible_sshd_set(
-        parameter=PARAMETER,
-        value="{{ "+XCCDF_VARIABLE+" }}",
-        config_is_distributed=sshd_distributed_config,
-        config_basename=CONFIG_BASENAME, rule_title=rule_title)
-}}}
+    {{%- if product == 'sle16' -%}}
+        {{{
+            ansible_sshd_set_usr(
+                parameter=PARAMETER,
+                value="{{ "+XCCDF_VARIABLE+" }}",
+                copy_defaults='true',
+                config_basename=CONFIG_BASENAME,
+                rule_title=rule_title
+            )
+        }}}
+    {{%- else -%}}
+        {{{
+            ansible_sshd_set(
+                parameter=PARAMETER,
+                value="{{ "+XCCDF_VARIABLE+" }}",
+                config_is_distributed=sshd_distributed_config,
+                config_basename=CONFIG_BASENAME, rule_title=rule_title)
+        }}}
+    {{%- endif -%}}
 {{% else %}}
-{{{
-    ansible_sshd_set(
-        parameter=PARAMETER,
-        value=VALUE,
-        config_is_distributed=sshd_distributed_config,
-        config_basename=CONFIG_BASENAME, rule_title=rule_title)
-}}}
+    {{%- if product == 'sle16' -%}}
+        {{{
+            ansible_sshd_set_usr(
+                parameter=PARAMETER,
+                value=VALUE,
+                copy_defaults='true',
+                config_basename=CONFIG_BASENAME,
+                rule_title=rule_title
+            )
+        }}}
+    {{%- else -%}}
+        {{{
+            ansible_sshd_set(
+                parameter=PARAMETER,
+                value=VALUE,
+                config_is_distributed=sshd_distributed_config,
+                config_basename=CONFIG_BASENAME, rule_title=rule_title)
+        }}}
+    {{%- endif -%}}
+
  {{% endif %}}
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index aec5c2029a3a..4bec19d82f43 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -5,8 +5,16 @@
 # disruption = low
 
 {{% if XCCDF_VARIABLE %}}
-{{{ bash_instantiate_variables(XCCDF_VARIABLE) }}}
-{{{ bash_sshd_remediation(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-{{% else %}}
-{{{ bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-{{% endif %}}
+    {{{- bash_instantiate_variables(XCCDF_VARIABLE) -}}}
+    {{%- if product == 'sle16' -%}}
+        {{{- bash_sshd_remediation_usr(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, copy_defaults=true, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
+    {{%- else -%}}
+        {{{- bash_sshd_remediation(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
+    {{%- endif -%}}
+{{%- else -%}}
+    {{%- if product == 'sle16' -%}}
+        {{{- bash_sshd_remediation_usr(parameter=PARAMETER, value=VALUE, copy_defaults=true, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
+    {{%- else -%}}
+        {{{- bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
+    {{%- endif -%}}
+{{%- endif -%}}
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
index d3f4218ec300..20e9534ff10f 100644
--- a/shared/templates/sshd_lineinfile/oval.template
+++ b/shared/templates/sshd_lineinfile/oval.template
@@ -1,5 +1,53 @@
-{{%- if XCCDF_VARIABLE -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{%- if product == 'sle16' -%}}
+    {{%- if XCCDF_VARIABLE -%}}
+        {{{
+            sshd_oval_check_usr(
+                parameter=PARAMETER,
+                xccdf_variable=XCCDF_VARIABLE,
+                missing_parameter_pass=MISSING_PARAMETER_PASS,
+                datatype=DATATYPE,
+                rule_id=rule_id,
+                rule_title=rule_title
+            )
+        }}}
+    {{%- else -%}}
+        {{{
+            sshd_oval_check_usr(
+            parameter=PARAMETER,
+            value=VALUE,
+            missing_parameter_pass=MISSING_PARAMETER_PASS,
+            datatype=DATATYPE,
+            rule_id=rule_id,
+            rule_title=rule_title
+            )
+        }}}
+    {{%- endif -%}}
 {{%- else -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+    {{%- if XCCDF_VARIABLE -%}}
+        {{{
+            sshd_oval_check(
+                parameter=PARAMETER,
+                xccdf_variable=XCCDF_VARIABLE,
+                missing_parameter_pass=MISSING_PARAMETER_PASS,
+                config_is_distributed=sshd_distributed_config,
+                runtime_check=sshd_runtime_check,
+                datatype=DATATYPE,
+                rule_id=rule_id,
+                rule_title=rule_title
+            )
+        }}}
+    {{%- else -%}}
+        {{{
+            sshd_oval_check(
+            parameter=PARAMETER,
+            value=VALUE,
+            missing_parameter_pass=MISSING_PARAMETER_PASS,
+            config_is_distributed=sshd_distributed_config,
+            runtime_check=sshd_runtime_check,
+            datatype=DATATYPE,
+            rule_id=rule_id,
+            rule_title=rule_title
+            )
+        }}}
+    {{%- endif -%}}
 {{%- endif -%}}
diff --git a/shared/templates/sshd_lineinfile/tests/common.sh b/shared/templates/sshd_lineinfile/tests/common.sh
index 2f811821fde2..23d7937088af 100644
--- a/shared/templates/sshd_lineinfile/tests/common.sh
+++ b/shared/templates/sshd_lineinfile/tests/common.sh
@@ -3,8 +3,13 @@
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-	sed -i "s/^{{{ PARAMETER }}}.*/# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}/g" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
+{{% endif %}}
+
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
+	sed -i "s/^{{{ PARAMETER }}}.*/# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}/g" "${SSHD_PATHS[@]}"
 else
 	echo "# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config
 fi
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
index 3114b75fe541..c0926871f3a3 100644
--- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 {{%- if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
 {{%- endif %}}
@@ -12,4 +12,3 @@ source common.sh
 {{% endif %}}
 
 {{{ bash_sshd_remediation(parameter=PARAMETER, value=CORRECT_VALUE, config_is_distributed=sshd_distributed_config, rule_id=rule_id) -}}}
-
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh
new file mode 100644
index 000000000000..b853676b0552
--- /dev/null
+++ b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{%- endif %}}
+
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /usr/etc/ssh/sshd_config.d/oscap-sshd-config.conf
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh
new file mode 100644
index 000000000000..b5dfae159dac
--- /dev/null
+++ b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{%- endif %}}
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /usr/etc/ssh/sshd_config
diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh
index aac35afbcad6..8d3d7be24f18 100644
--- a/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh
@@ -1,12 +1,15 @@
 #!/bin/bash
 
-
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
+{{% endif %}}
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
+    sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
 fi
 
 {{% if XCCDF_VARIABLE %}}
diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
index b05adb222229..1b94be25b086 100644
--- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
@@ -9,8 +9,13 @@ touch /etc/ssh/sshd_config.d/nothing
 {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
 {{% endif %}}
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
+{{% endif %}}
+
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
+    sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
 fi
 
 {{% if XCCDF_VARIABLE %}}
diff --git a/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh b/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh
index 5bc6d1043169..da6e5e46e494 100644
--- a/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh
@@ -5,4 +5,9 @@ SSHD_PARAM={{{ PARAMETER }}}
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
 
+{{% if product == 'sle16' %}}
+touch /etc/ssh/sshd_config
+sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/*
+{{% else %}}
 sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+{{% endif %}}
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
index d91244f7a08a..73ed7000227b 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 
 {{% if XCCDF_VARIABLE %}}
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
index 15eb1d87033b..530ffdc2fb14 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 {{% if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
index c5f2c41e875a..c9bf477b34ca 100644
--- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 {{% if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh
new file mode 100644
index 000000000000..a073ad1c0991
--- /dev/null
+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+
+{{% if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
+touch /usr/etc/ssh/sshd_config.d/oscap-sshd-config.conf
+
+if grep -q "^\s*{{{ PARAMETER }}}" /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/*
+fi
+
+echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /usr/etc/ssh/sshd_config.d/oscap-sshd-config.conf
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh
new file mode 100644
index 000000000000..0ff115b7e45e
--- /dev/null
+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+
+{{% if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+
+if grep -q "^\s*{{{ PARAMETER }}}" /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/*
+fi
+
+echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" >> /usr/etc/ssh/sshd_config

From 5d65b420049525dd1cb8b849713625758116bad2 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 07:59:10 +0200
Subject: [PATCH 199/265] Use the new macros in sshd_use_strong_kex rule

---
 .../sshd_use_strong_kex/ansible/shared.yml    |  20 +-
 .../sshd_use_strong_kex/bash/shared.sh        |  21 ++-
 .../sshd_use_strong_kex/oval/sle16.xml        | 171 ++++++++++++++++++
 ...rect_value_etc_sshd_config_drop_in.pass.sh |   7 +
 ...lue_in_usr_etc_sshd_config_present.fail.sh |   7 +
 .../correct_value_usr_etc_sshd_config.pass.sh |   7 +
 ..._value_usr_etc_sshd_config_drop_in.pass.sh |   6 +
 .../sshd_use_strong_kex/tests/include.sh      |  15 ++
 ...rong_value_etc_sshd_config_drop_in.fail.sh |   6 +
 .../wrong_value_usr_etc_sshd_config.fail.sh   |   6 +
 ..._value_usr_etc_sshd_config_drop_in.fail.sh |   6 +
 11 files changed, 269 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml
index fc2a78f3d79c..82b732e0e66b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml
@@ -6,4 +6,22 @@
 
 {{{ ansible_instantiate_variables("sshd_strong_kex") }}}
 
-{{{ ansible_sshd_set(parameter="KexAlgorithms", value="{{ sshd_strong_kex }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}}
+{{%- if product == 'sle16' -%}}
+    {{{
+        ansible_sshd_set_usr(
+                parameter="KexAlgorithms",
+                value="{{ sshd_strong_kex }}",
+                copy_defaults='true',
+                rule_title=rule_title
+            )
+    }}}
+{{%- else -%}}
+    {{{
+        ansible_sshd_set(
+          parameter="KexAlgorithms",
+          value="{{ sshd_strong_kex }}",
+          config_is_distributed=sshd_distributed_config,
+          rule_title=rule_title
+        )
+    }}}
+{{%- endif -%}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh
index e5a56dbfc6ec..de205aedd670 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh
@@ -5,5 +5,22 @@
 # disruption = low
 {{{ bash_instantiate_variables("sshd_strong_kex") }}}
 
-{{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$sshd_strong_kex", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}}
-
+{{%- if product == 'sle16' -%}}
+    {{{
+        bash_sshd_remediation_usr(
+            parameter="KexAlgorithms",
+            value="$sshd_strong_kex",
+            copy_defaults=true,
+            rule_id=rule_id
+        )
+    }}}
+{{%- else -%}}
+    {{{
+        bash_sshd_remediation(
+            parameter="KexAlgorithms",
+            value="$sshd_strong_kex",
+            config_is_distributed=sshd_distributed_config,
+            rule_id=rule_id
+        )
+    }}}
+{{%- endif -%}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml
new file mode 100644
index 000000000000..d6c8fb2432cf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml
@@ -0,0 +1,171 @@
+
+  
+    {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+          
+          
+          
+          
+          
+          
+        
+        
+          
+          
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+  
+
+  
+    var_sshd_config_kex
+  
+
+  
+    
+  
+
+  
+    
+      
+    
+  
+
+  
+    /etc/ssh/sshd_config
+    ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
+    1
+  
+
+
+  
+    
+    
+  
+
+  
+    var_sshd_config_kex_usr
+  
+
+  
+    
+  
+
+  
+    
+      
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config
+    ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+  
+
+  
+    var_sshd_config_kex_config_dir
+  
+
+  
+    
+  
+
+  
+    ^(/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    .*\.conf$
+    ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      obj_sshd_config_kex
+      obj_sshd_config_kex_config_dir
+    
+  
+
+  
+    
+  
+
+  
+    
+      obj_sshd_config_kex_usr
+      obj_sshd_config_kex_config_dir
+    
+  
+
+  
+    
+      
+    
+  
+  
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..7a794f42a4b1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+
+source include.sh
+
+echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
new file mode 100644
index 000000000000..9c44448054f2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh
new file mode 100644
index 000000000000..0577aad9bd14
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+
+source include.sh
+
+echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..ab24bed01ba1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+source include.sh
+
+echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh
new file mode 100644
index 000000000000..179b7b36e808
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^KexAlgorithms.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..a1a7b95bafff
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+source include.sh
+
+echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh
new file mode 100644
index 000000000000..df52b52f680d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+source include.sh
+
+echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..2a71c2a3bd53
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256
+source include.sh
+
+echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

From 0258f34e38e2c2e3e3c57d00e632066d1f917326 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:02:20 +0200
Subject: [PATCH 200/265] For sle16 enhance the check and the tests to cover
 cases with sshd_config in /usr and subfolders

---
 .../sshd_limit_user_access/oval/sle16.xml     | 100 ++++++++++++++++++
 .../tests/allow_groups.pass.sh                |   2 +-
 ...low_groups_etc_ssh_sshd_config_dir.pass.sh |   4 +
 .../tests/allow_users.pass.sh                 |   2 +-
 .../tests/allow_users_groups.pass.sh          |   2 +-
 ...llow_users_usr_etc_ssh_sshd_config.pass.sh |   5 +
 .../sshd_limit_user_access/tests/common.sh    |  15 +++
 .../deny_group_in_usr_etc_missing.fail.sh     |   7 ++
 .../tests/deny_groups.pass.sh                 |   2 +-
 .../tests/deny_users.pass.sh                  |   2 +-
 .../tests/deny_users_groups.pass.sh           |   2 +-
 ..._users_usr_etc_ssh_sshd_config_dir.pass.sh |   5 +
 .../tests/empty_groups.fail.sh                |   2 +-
 .../tests/empty_users.fail.sh                 |   2 +-
 .../tests/no_entry.fail.sh                    |   2 +-
 15 files changed, 145 insertions(+), 9 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml
new file mode 100644
index 000000000000..8dce53384a11
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml
@@ -0,0 +1,100 @@
+{{% macro test_sshd_lineinfile(filepath, param, id) %}}
+{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
+  
+    
+  
+  
+    ^{{{ filepath }}}
+    (?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$
+    1
+  
+{{% endmacro %}}
+
+{{% macro test_sshd_lineindir(filepath, param, id) %}}
+{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
+  
+    
+  
+  
+    {{{ filepath }}}
+    .*\.conf$
+    (?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$
+    1
+  
+{{% endmacro %}}
+
+
+  
+    {{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
+    
+      
+        
+        
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+        
+      
+      
+        
+        
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+            
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig") }}}
+
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
+
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
+
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh
index 4a5255dc3c9f..0794a24e80a7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh
new file mode 100644
index 000000000000..2f5b763698b1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+echo "AllowGroups group" >> /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh
index 9bde6d56cd92..520d0a048faa 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh
index 0b35e7039585..6d6bd04f37b6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
 echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh
new file mode 100644
index 000000000000..04b090c1a148
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+echo "AllowUsers testuser1 testuser2 testuser3" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh
new file mode 100644
index 000000000000..3c936c2321ce
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^(Allow|Deny)(Users|Groups).*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh
new file mode 100644
index 000000000000..6d23da947c9d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# remediation = none
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+touch /etc/ssh/sshd_config
+echo "DenyGroups testgroup" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh
index a324d89e397d..16f6e9d3d58f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh
index 35c7f65d7514..adb157baddd2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh
index fc55098614a0..ebe08fb81dea 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
 echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh
new file mode 100644
index 000000000000..bee5f9991a7c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+echo "DenyUsers user" >> /usr/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh
index 2f735305d2c5..1f6c11f7a4d1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowGroups " >> /etc/ssh/sshd_config
 echo "DenyGroups " >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh
index 4affe4b4d598..55ea7d01cde3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers " >> /etc/ssh/sshd_config
 echo "DenyUsers " >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh
index bc8a67e7fbad..8ab213a16a18 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh

From 4e938f74b8afb37879c54fc39ab2bccdfbb6e4b6 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:04:26 +0200
Subject: [PATCH 201/265] For sle16 enhance the check to cover cases with
 sshd_config in /usr and subfolders for sshd_set_idle_timeout rule

---
 .../sshd_set_idle_timeout/oval/sle16.xml      | 153 ++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml
new file mode 100644
index 000000000000..9c2ae2f9a78a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml
@@ -0,0 +1,153 @@
+
+  
+    {{{ oval_metadata("The SSH idle timeout interval should be set to an appropriate value.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config
+    ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config
+    ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+  
+
+  
+    0
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_idle_timeout_etc
+      
+      
+        object_sshd_idle_timeout_config_dir
+        object_sshd_idle_timeout_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_idle_timeout_usr
+      
+      
+        object_sshd_idle_timeout_config_dir
+        object_sshd_idle_timeout_usr_config_dir
+      
+    
+  
+
+  
+
+

From 5aedfa62ddff7f6a175ee39f885ad66435255493 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:05:10 +0200
Subject: [PATCH 202/265] For sle16 enhance the check to cover cases with
 sshd_config in /usr and subfolders for sshd_set_login_grace_time rule

---
 .../sshd_set_login_grace_time/oval/sle16.xml  | 153 ++++++++++++++++++
 ...rect_value_etc_sshd_config_drop_in.pass.sh |   5 +
 ...lue_in_usr_etc_sshd_config_present.fail.sh |   6 +
 .../correct_value_usr_etc_sshd_config.pass.sh |   5 +
 ..._value_usr_etc_sshd_config_drop_in.pass.sh |   5 +
 .../tests/include.sh                          |  15 ++
 .../tests/lower_bound.pass.sh                 |   2 +-
 .../tests/no_limit.fail.sh                    |   2 +-
 .../tests/too_high.fail.sh                    |   2 +-
 .../too_high_etc_sshd_config_drop_in.fail.sh  |   5 +
 .../too_high_usr_etc_sshd_config.fail.sh      |   5 +
 ...o_high_usr_etc_sshd_config_drop_in.fail.sh |   5 +
 12 files changed, 207 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml
new file mode 100644
index 000000000000..23137efd78b8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml
@@ -0,0 +1,153 @@
+
+  
+    {{{ oval_metadata("The SSH number seconds for login grace time should be set to an appropriate value.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config
+    ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config
+    ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+  
+
+  
+    0
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_login_grace_time_etc
+      
+      
+        object_sshd_login_grace_time_config_dir
+        object_sshd_login_grace_time_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_login_grace_time_usr
+      
+      
+        object_sshd_login_grace_time_config_dir
+        object_sshd_login_grace_time_usr_config_dir
+      
+    
+  
+
+  
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..a0f68b4a5ccb
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
new file mode 100644
index 000000000000..b80e3832b591
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh
new file mode 100644
index 000000000000..3ed15582de0b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..1e72b109d85e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh
new file mode 100644
index 000000000000..aee5eb2d0bec
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^LoginGraceTime.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh
index f5236501ca01..809d3c1f4659 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh
index 63a0aee97f7d..738969589112 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh
index 6d109091b8b9..959f7d699345 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..35ea7b48f5f4
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh
new file mode 100644
index 000000000000..7010af0181bd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 61" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..1cdd63bb777a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 61" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

From 676a554cbe9d8f3ab575f28105946540a89e5d15 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:05:48 +0200
Subject: [PATCH 203/265] For sle16 enhance the check to cover cases with
 sshd_config in /usr and subfolders for sshd_set_max_auth_tries rule

---
 .../sshd_set_max_auth_tries/oval/sle16.xml    | 153 ++++++++++++++++++
 ...rect_value_etc_sshd_config_drop_in.pass.sh |   6 +
 ...lue_in_usr_etc_sshd_config_present.fail.sh |   7 +
 .../correct_value_usr_etc_sshd_config.pass.sh |   6 +
 ..._value_usr_etc_sshd_config_drop_in.pass.sh |   6 +
 .../sshd_set_max_auth_tries/tests/include.sh  |  15 ++
 ...rong_value_etc_sshd_config_drop_in.fail.sh |   6 +
 .../wrong_value_usr_etc_sshd_config.fail.sh   |   6 +
 ..._value_usr_etc_sshd_config_drop_in.fail.sh |   6 +
 9 files changed, 211 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml
new file mode 100644
index 000000000000..a9452bfb71aa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml
@@ -0,0 +1,153 @@
+
+  
+    {{{ oval_metadata("The SSH MaxAuthTries should be set to an appropriate value.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config
+    ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config
+    ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+  
+
+  
+    0
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_max_auth_tries_etc
+      
+      
+        object_sshd_max_auth_tries_config_dir
+        object_sshd_max_auth_tries_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_max_auth_tries_usr
+      
+      
+        object_sshd_max_auth_tries_config_dir
+        object_sshd_max_auth_tries_usr_config_dir
+      
+    
+  
+
+  
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..4262a6713622
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 4" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
new file mode 100644
index 000000000000..7b327ed220ce
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh
new file mode 100644
index 000000000000..d902aa806c16
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..0c0ad79ef4fe
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh
new file mode 100644
index 000000000000..9790bbcd68d0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^MaxAuthTries.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..41136d9eb40b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 20" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh
new file mode 100644
index 000000000000..218e4deb2407
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 5" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..753e15c14404
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = sshd_max_auth_tries_value=4
+source include.sh
+
+echo "MaxAuthTries 0" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

From 5de048fc42cf8406ecc5b97c891db4b846ed4519 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:06:35 +0200
Subject: [PATCH 204/265] For sle16 enhance the check to cover cases with
 sshd_config in /usr and subfolders for sshd_set_max_sessions rule

---
 .../sshd_set_max_sessions/oval/sle16.xml      | 153 ++++++++++++++++++
 ...rect_value_etc_sshd_config_drop_in.pass.sh |   6 +
 ...lue_in_usr_etc_sshd_config_present.fail.sh |   7 +
 .../correct_value_usr_etc_sshd_config.pass.sh |   6 +
 ..._value_usr_etc_sshd_config_drop_in.pass.sh |   6 +
 .../sshd_set_max_sessions/tests/include.sh    |  15 ++
 ...rong_value_etc_sshd_config_drop_in.fail.sh |   6 +
 .../wrong_value_usr_etc_sshd_config.fail.sh   |   6 +
 ..._value_usr_etc_sshd_config_drop_in.fail.sh |   6 +
 9 files changed, 211 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml
new file mode 100644
index 000000000000..3acd7b75327d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml
@@ -0,0 +1,153 @@
+
+  
+    {{{ oval_metadata("The SSH MaxSessions should be set to an appropriate value.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+      
+        
+        
+        
+          
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config
+    ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config
+    ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+    
+    
+  
+
+  
+    /usr/etc/ssh/sshd_config.d
+    .*\.conf$
+    ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$
+    1
+  
+
+  
+    
+  
+
+  
+    0
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_max_session_etc
+      
+      
+        object_sshd_max_session_config_dir
+        object_sshd_max_session_usr_config_dir
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+      
+        object_sshd_max_session_usr
+      
+      
+        object_sshd_max_session_config_dir
+        object_sshd_max_session_usr_config_dir
+      
+    
+  
+
+  
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..7fdb6123803b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 4" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
new file mode 100644
index 000000000000..7f19908dcaea
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh
new file mode 100644
index 000000000000..180bd49bed98
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..622d36446727
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh
new file mode 100644
index 000000000000..4c8d058295d8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^MaxSessions.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..606d55099420
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 20" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh
new file mode 100644
index 000000000000..fe6f5a820988
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 5" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..0c07b9608d42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_max_sessions=4
+source include.sh
+
+echo "MaxSessions 10" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

From 8f0e0ed0693492e6d249ebf6f00c607f7a33d87b Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 26 Feb 2026 08:07:03 +0200
Subject: [PATCH 205/265] For sle16 enhance the check to cover cases with
 sshd_config in /usr and subfolders for sshd_set_maxstartups rule

---
 .../sshd_set_maxstartups/oval/sle16.xml       | 151 ++++++++++++++++++
 ...rect_value_etc_sshd_config_drop_in.pass.sh |   6 +
 ...lue_in_usr_etc_sshd_config_present.fail.sh |   7 +
 .../correct_value_usr_etc_sshd_config.pass.sh |   6 +
 ..._value_usr_etc_sshd_config_drop_in.pass.sh |   6 +
 .../sshd_set_maxstartups/tests/include.sh     |  15 ++
 ...rong_value_etc_sshd_config_drop_in.fail.sh |   6 +
 .../wrong_value_usr_etc_sshd_config.fail.sh   |   6 +
 ..._value_usr_etc_sshd_config_drop_in.fail.sh |   6 +
 9 files changed, 209 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml
new file mode 100644
index 000000000000..5ca10680c2a8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml
@@ -0,0 +1,151 @@
+
+  
+    {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.", rule_title=rule_title) }}}
+    
+      
+        
+        
+      
+      
+        
+          
+          
+          
+          
+        
+        
+          
+          
+          
+          
+        
+      
+    
+  
+
+  
+    
+  
+  
+    ^/etc/ssh/sshd_config
+  
+
+  
+    
+    
+  
+  
+    
+    
+  
+  
+    
+    
+  
+
+  
+    ^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$
+    1
+  
+  
+    ^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$
+    1
+  
+  
+    ^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$
+    1
+  
+
+  
+    
+    
+  
+  
+    
+    
+  
+  
+    
+    
+  
+
+  
+    ^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$
+    1
+  
+  
+    ^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$
+    1
+  
+  
+    ^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)
+    (sshd_config|.*\.conf)$
+    (?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$
+    1
+  
+
+  
+
+  
+    
+      
+    
+  
+  
+    
+      
+    
+  
+  
+    
+      
+    
+  
+
+  
+    
+  
+  
+    
+  
+  
+    
+  
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..fc6371be73be
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
new file mode 100644
index 000000000000..6905e07c838e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh
new file mode 100644
index 000000000000..0a93fe6e32ec
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
new file mode 100644
index 000000000000..d2835b507b40
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh
new file mode 100644
index 000000000000..1f5b69d60b54
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^MaxStartups.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..39d6dae3afc2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh
new file mode 100644
index 000000000000..9bfce7c33062
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:29:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
new file mode 100644
index 000000000000..a0781811a3a3
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 11:30:60">> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

From 5e42450c42de11f1883d76d80689a0ad5e3fab35 Mon Sep 17 00:00:00 2001
From: Harold Dean 
Date: Thu, 26 Feb 2026 06:34:42 -0500
Subject: [PATCH 206/265] [Ubuntu 22.04] Bump STIG profile metadata from V2R3
 to V2R7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All V2R7 control PRs (#14427, #14418, #14415, #14416, #14433) were
merged without updating the version metadata fields. This causes STIG
Viewer imports and auditor reports to display V2R3 while the actual
content reflects V2R7 rules.

Updated files:
- controls/stig_ubuntu2204.yml: version V2R3 → V2R7
- products/ubuntu2204/profiles/stig.profile: version, title, and
  description strings V2R3 → V2R7
---
 controls/stig_ubuntu2204.yml              | 2 +-
 products/ubuntu2204/profiles/stig.profile | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml
index e0221cee294f..86488344796c 100644
--- a/controls/stig_ubuntu2204.yml
+++ b/controls/stig_ubuntu2204.yml
@@ -2,7 +2,7 @@
 policy: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG)
 title: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG)
 id: stig_ubuntu2204
-version: V2R3
+version: V2R7
 source: https://www.cyber.mil/stigs/downloads/
 
 levels:
diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
index 0a7b4bf2fb2e..ccc40b0a53b3 100644
--- a/products/ubuntu2204/profiles/stig.profile
+++ b/products/ubuntu2204/profiles/stig.profile
@@ -2,7 +2,7 @@
 documentation_complete: true
 
 metadata:
-    version: V2R3
+    version: V2R7
     SMEs:
         - mpurg
         - dodys
@@ -11,11 +11,11 @@ metadata:
 
 reference: https://www.cyber.mil/stigs/downloads
 
-title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R3'
+title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R7'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Canonical Ubuntu 22.04 LTS V2R3.
+    DISA STIG for Canonical Ubuntu 22.04 LTS V2R7.
 
 selections:
     - stig_ubuntu2204:all

From 2b7190fb9123cd8d2ee0fc8c0cc9c721968e99f0 Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Thu, 19 Feb 2026 08:45:40 -0600
Subject: [PATCH 207/265] Add find-rule CLAUDE skill

This commit adds a skill and instructions for finding rules in the
content repository based on some user input, or requirement text. It is
designed to be called by users, and not invokable by the model.

This is useful for finding rules we can use off-the-shelf in new profile
development, especially with vaguely worded controls.
---
 .claude/skills/find-rule/SKILL.md | 77 +++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .claude/skills/find-rule/SKILL.md

diff --git a/.claude/skills/find-rule/SKILL.md b/.claude/skills/find-rule/SKILL.md
new file mode 100644
index 000000000000..78e7b37e3f63
--- /dev/null
+++ b/.claude/skills/find-rule/SKILL.md
@@ -0,0 +1,77 @@
+---
+disable-model-invocation: true
+---
+
+Search for existing rules that match the following requirement:
+
+$ARGUMENTS
+
+Follow these steps:
+
+1. **Extract key concepts** from the requirement text. Identify:
+   - Technical terms (e.g., "TLS", "audit", "encryption", "RBAC")
+   - Component references (e.g., "API server", "kubelet", "etcd", "SSH")
+   - Specific settings or parameters mentioned
+   - Any reference IDs (SRG-xxx, CIS section numbers, STIG IDs, NIST controls)
+
+2. **Respect scope constraints.** If the user specifies a scope (e.g., "only OpenShift control plane", "only node-level"), restrict results to that scope. Do not return rules outside the requested scope. OCP4/Kubernetes rules live under `applications/openshift/` and Linux rules live under `linux_os/guide/`. If no scope is specified, search both.
+
+3. **Search broadly** across rule titles, descriptions, and template configurations:
+   - Search `applications/openshift/` and `linux_os/guide/` for `rule.yml` files
+   - Search for keywords in titles, descriptions, template vars, and reference fields
+   - If reference IDs were provided, search for those exact IDs in rule.yml files
+
+4. **Check control files** in `controls/` and `products/*/controls/` for matching control IDs or titles that already map to this requirement.
+
+5. **Note product applicability** for each matched rule. Check the `identifiers` section of each rule.yml for `cce@` entries (e.g., `cce@ocp4`, `cce@rhel9`). The product IDs after `@` correspond to subdirectory names under `products/`. This tells the user which products the rule applies to.
+
+6. **Present results** organized by match strength. For every rule, include a **Rationale** — a concise (1-2 sentence) explanation of why this rule satisfies or partially satisfies the requirement. Write the rationale so that a maintainer unfamiliar with the rule can understand the connection without reading the full rule.yml. Focus on *what the rule checks* and *how that maps to the requirement*.
+
+   **Strong matches** (title or template directly addresses the requirement):
+   - Rule ID, file path, title, severity
+   - Template type and key vars (if templated)
+   - Matching references (SRG, CIS, STIG, NIST)
+   - Product applicability (which products have CCE identifiers)
+   - Whether the rule has an automated template or is manual review only
+   - **Rationale:** Why this rule is a strong match for the requirement
+
+   **Partial matches** (related but not exact):
+   - Same fields as above
+   - **Rationale:** What aspect of the requirement this rule covers and what it does not
+
+   **Weak matches** (tangentially related):
+   - Rule ID, file path, title
+   - **Rationale:** Why it was included despite being tangential
+
+7. **Include a summary table** at the end mapping requirement aspects to rule IDs, so the user can quickly see coverage.
+
+8. **Always suggest a control structure** with a `notes` field that includes a concise rationale for each rule, explaining why it was included for this control. This helps maintainers understand the reasoning without needing to read every rule.yml. When no strong automated matches exist, say so clearly and use `status: partial` or `status: manual` as appropriate. Example:
+
+   ```yaml
+   - id: X.Y.Z
+     title: Control Title
+     status: automated
+     notes: |-
+         automated_rule_1 - Rationale for why this rule satisfies the control.
+         automated_rule_2 - Rationale for why this rule satisfies the control.
+     rules:
+         - automated_rule_1
+         - automated_rule_2
+   ```
+
+   For partial or manual controls, also include guidance for assessors:
+
+   ```yaml
+   - id: X.Y.Z
+     title: Control Title
+     status: partial
+     notes: |-
+         automated_rule_1 - Rationale for why this rule partially covers the control.
+         The remaining aspects of this control require manual verification: [manual steps].
+     rules:
+         - automated_rule_1
+   ```
+
+   When suggesting rules for partial/manual controls, only include rules that provide automated value. Omit rules that are themselves manual-only (no template, no automated check) unless they are the only matches available.
+
+9. **Rules can appear in multiple controls.** The build system handles this correctly. Each control should list the complete set of rules needed to satisfy it, even if some rules also appear in other controls. This ensures each control is self-contained and readers don't need to cross-reference other controls to understand coverage.

From cde8ba2bdbd69066adc7bc4a173b1320be44ea62 Mon Sep 17 00:00:00 2001
From: Lance Bragstad 
Date: Tue, 24 Feb 2026 09:35:15 -0600
Subject: [PATCH 208/265] Add manage-profile CLAUDE skill

This commit adds a skill and instructions for managing profiles,
specifically the version and it's relationship to control files. It is
currently only intended for users, and not for model invocation.

This can be especially useful for profiles that are versioned
frequently, but don't have substantial technical changes (e.g., CIS
1.7.0 -> 1.8.0).
---
 .claude/skills/manage-profile/SKILL.md | 135 +++++++++++++++++++++++++
 1 file changed, 135 insertions(+)
 create mode 100644 .claude/skills/manage-profile/SKILL.md

diff --git a/.claude/skills/manage-profile/SKILL.md b/.claude/skills/manage-profile/SKILL.md
new file mode 100644
index 000000000000..775f873fefb0
--- /dev/null
+++ b/.claude/skills/manage-profile/SKILL.md
@@ -0,0 +1,135 @@
+---
+disable-model-invocation: true
+---
+
+Create or update a versioned profile.
+
+Arguments: $ARGUMENTS
+
+Expected arguments: `   [version]`
+
+Actions:
+- `create` — Create a new versioned profile pair (versioned + unversioned)
+- `update` — Bump an existing profile to a new version
+
+For example:
+- `create cis ocp4 1.7.0`
+- `update cis ocp4 1.8.0`
+
+## Background: Profile Versioning Pattern
+
+This project uses a two-file versioning pattern for profiles (browse existing profiles under `products//profiles/` for examples):
+
+- **Versioned profile** (e.g., `cis-v1-7-0.profile`): Contains the actual `selections`, `metadata.version`, and all profile configuration. Users pin to this for a stable baseline.
+- **Unversioned profile** (e.g., `cis.profile`): Contains `extends: cis-v1-7-0` and no `selections` of its own. Users referencing this always get the latest version.
+
+When multiple products are specified (e.g., `ocp4,rhcos4`), both profile pairs are created/updated under their respective `products//profiles/` directories.
+
+---
+
+## Action: `create`
+
+### Step 1: Validate
+
+1. Parse the product list (comma-separated). Valid product IDs are subdirectory names under `products/`.
+2. Verify `products//profiles/` exists for each product.
+3. Check that the profile does not already exist. If it does, suggest using `update` instead.
+4. Convert the version to a filename-safe format by replacing dots with dashes (e.g., `2.0.0` → `v2-0-0`).
+
+### Step 2: Check for a Control File
+
+Check if a control file exists that matches the profile name. Control files live under `controls/` and `products/*/controls/`, typically named `_.yml` or as a split directory with the same base name. If found:
+
+1. Read the control file's top-level YAML to check the `product` field.
+2. If the `product` field does not list all the products from the argument, warn the user and offer to update it. A control file needs all target products listed in its `product` field to work with each product's profile. Check existing multi-product control files for examples of this pattern.
+
+### Step 3: Show the Proposed Files
+
+For each product, show the two files that will be created:
+
+**Versioned profile** (`products//profiles/-.profile`):
+```yaml
+---
+documentation_complete: true
+
+title: ' for <Product Full Name>'
+
+platform: <product>
+
+metadata:
+    version: <Version>
+
+description: |-
+    <Description text.>
+
+selections:
+    - <control_id>:all
+```
+
+**Unversioned profile** (`products/<product>/profiles/<name>.profile`):
+```yaml
+---
+documentation_complete: true
+
+title: '<Title> for <Product Full Name>'
+
+platform: <product>
+
+metadata:
+    version: <Version>
+
+description: |-
+    <Description text.>
+
+extends: <name>-<version>
+```
+
+Ask the user to confirm before creating.
+
+### Step 4: Apply
+
+Create all files for each product after approval.
+
+---
+
+## Action: `update`
+
+### Step 1: Validate
+
+1. Parse the product list.
+2. Locate the existing unversioned profile for each product at `products/<product>/profiles/<name>.profile`.
+3. Read the unversioned profile to find the current `extends` target (e.g., `cis-v1-7-0`).
+4. Read the current versioned profile to get its `selections` and other configuration.
+5. Convert the new version to filename-safe format (e.g., `2.1.0` → `v2-1-0`).
+
+If the unversioned profile doesn't use `extends`, warn the user that it doesn't follow the versioning pattern and offer to convert it.
+
+### Step 2: Show the Proposed Changes
+
+For each product, show what will happen:
+
+1. **New versioned profile** (`<name>-<new_version>.profile`): Created with the same `selections` as the current versioned profile (the user can modify selections afterward).
+2. **Previous versioned profile** (`<name>-<old_version>.profile`): Add `status: deprecated` to mark it as superseded.
+3. **Unversioned profile** (`<name>.profile`): Update `extends` to point to the new version and update `metadata.version`.
+
+Ask the user to confirm before applying.
+
+### Step 3: Apply
+
+After approval:
+
+1. Create the new versioned profile by copying the current versioned profile's content and updating `metadata.version`.
+2. Add `status: deprecated` to the previous versioned profile.
+3. Update the unversioned profile's `extends` field to reference the new versioned profile.
+4. Update the unversioned profile's `metadata.version` to the new version.
+5. Show the final state of all modified/created files.
+
+---
+
+## Notes
+
+- **Product full names** for titles/descriptions: Read the `full_name` field from `products/<product>/product.yml` for each product.
+- **Version format in filenames**: Replace dots with dashes and prefix with `v` (e.g., `2.0.0` → `v2-0-0`, `V2R3` → `v2r3`).
+- **Version format in metadata**: Use the version as provided by the user (e.g., `V2.0.0`, `V2R3`).
+- Always show the full proposed file contents before creating or modifying.
+- When updating, preserve all existing `selections`, `filter_rules`, variables, and other configuration from the current versioned profile.

From a775cbf67746e86fb58cfdf16e84f31b82128380 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 02:43:24 +0000
Subject: [PATCH 209/265] Bump actions/download-artifact from 7.0.0 to 8.0.0

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/automatus-cs9.yaml        | 4 ++--
 .github/workflows/automatus-debian12.yaml   | 4 ++--
 .github/workflows/automatus-sanity.yaml     | 2 +-
 .github/workflows/automatus-sle15.yaml      | 4 ++--
 .github/workflows/automatus-ubi8.yaml       | 4 ++--
 .github/workflows/automatus-ubuntu2204.yaml | 4 ++--
 .github/workflows/automatus-ubuntu2404.yml  | 4 ++--
 .github/workflows/automatus.yaml            | 4 ++--
 .github/workflows/compare-ds.yaml           | 4 ++--
 9 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/automatus-cs9.yaml b/.github/workflows/automatus-cs9.yaml
index 08e494a96134..04b86b8a9e25 100644
--- a/.github/workflows/automatus-cs9.yaml
+++ b/.github/workflows/automatus-cs9.yaml
@@ -73,7 +73,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -130,7 +130,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-debian12.yaml b/.github/workflows/automatus-debian12.yaml
index 396b65549587..d12593f44d1c 100644
--- a/.github/workflows/automatus-debian12.yaml
+++ b/.github/workflows/automatus-debian12.yaml
@@ -80,7 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -146,7 +146,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-sanity.yaml b/.github/workflows/automatus-sanity.yaml
index c5e958fb7d5f..e0026ba751fa 100644
--- a/.github/workflows/automatus-sanity.yaml
+++ b/.github/workflows/automatus-sanity.yaml
@@ -49,7 +49,7 @@ jobs:
           sudo chown root:root /usr/local/bin/oscap-ssh
           rm -f oscap-ssh
       - name: Get Datastream
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         with:
           name: ${{ env.DATASTREAM }}
       - name: Check One Rule
diff --git a/.github/workflows/automatus-sle15.yaml b/.github/workflows/automatus-sle15.yaml
index a0d833cec24b..f6017dab3704 100644
--- a/.github/workflows/automatus-sle15.yaml
+++ b/.github/workflows/automatus-sle15.yaml
@@ -81,7 +81,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -138,7 +138,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-ubi8.yaml b/.github/workflows/automatus-ubi8.yaml
index 411e2ea05700..3a3e9877d9bc 100644
--- a/.github/workflows/automatus-ubi8.yaml
+++ b/.github/workflows/automatus-ubi8.yaml
@@ -73,7 +73,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -130,7 +130,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml
index e43f19b9b6b0..626d0a221c01 100644
--- a/.github/workflows/automatus-ubuntu2204.yaml
+++ b/.github/workflows/automatus-ubuntu2204.yaml
@@ -80,7 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -146,7 +146,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-ubuntu2404.yml b/.github/workflows/automatus-ubuntu2404.yml
index 95a264ffb007..5acdf92fdedc 100644
--- a/.github/workflows/automatus-ubuntu2404.yml
+++ b/.github/workflows/automatus-ubuntu2404.yml
@@ -73,7 +73,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -122,7 +122,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus.yaml b/.github/workflows/automatus.yaml
index ad3c7dcc319b..b0cbea036188 100644
--- a/.github/workflows/automatus.yaml
+++ b/.github/workflows/automatus.yaml
@@ -73,7 +73,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Get cached CTF output
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         id: get_ctf_output
         with:
           name: output.json
@@ -130,7 +130,7 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'ansible'
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ssg-${{steps.product.outputs.prop}}-ds.xml
diff --git a/.github/workflows/compare-ds.yaml b/.github/workflows/compare-ds.yaml
index b3589b71a88e..dc30f49ffc4d 100644
--- a/.github/workflows/compare-ds.yaml
+++ b/.github/workflows/compare-ds.yaml
@@ -20,7 +20,7 @@ jobs:
       - name: Install deps python
         run: pip install gitpython xmldiff
       - name: Download PR info
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           run-id: ${{ github.event.workflow_run.id }}
@@ -72,7 +72,7 @@ jobs:
           prop_path: 'product'
       - name: Download built product ${{ steps.pr_info.outputs.base_branch }} (${{ steps.pr_info.outputs.fork_point }})
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
             github-token: ${{ secrets.GITHUB_TOKEN }}
             name: pr-artifacts-${{ github.event.workflow_run.head_sha }}

From 09d894a20f129eb33dcbffd1d06d930a13c32512 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 02:43:51 +0000
Subject: [PATCH 210/265] Bump actions/upload-artifact from 6.0.0 to 7.0.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/automatus-cs9.yaml        |  8 ++++----
 .github/workflows/automatus-debian12.yaml   |  8 ++++----
 .github/workflows/automatus-sanity.yaml     |  2 +-
 .github/workflows/automatus-sle15.yaml      |  8 ++++----
 .github/workflows/automatus-ubi8.yaml       |  8 ++++----
 .github/workflows/automatus-ubuntu2204.yaml |  8 ++++----
 .github/workflows/automatus-ubuntu2404.yml  |  8 ++++----
 .github/workflows/automatus.yaml            |  8 ++++----
 .github/workflows/compare-ds-build.yml      |  4 ++--
 .github/workflows/gh-pages.yaml             |  2 +-
 .github/workflows/nightly_build.yml         |  2 +-
 .github/workflows/ocp-test-profiles.yaml    |  2 +-
 .github/workflows/srg-mapping-table.yaml    | 12 ++++++------
 13 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/automatus-cs9.yaml b/.github/workflows/automatus-cs9.yaml
index 08e494a96134..fbb7f5b786d3 100644
--- a/.github/workflows/automatus-cs9.yaml
+++ b/.github/workflows/automatus-cs9.yaml
@@ -40,7 +40,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -58,7 +58,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product rhel9 --derivatives
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -151,7 +151,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -167,7 +167,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus-debian12.yaml b/.github/workflows/automatus-debian12.yaml
index 396b65549587..9408eeb1ed62 100644
--- a/.github/workflows/automatus-debian12.yaml
+++ b/.github/workflows/automatus-debian12.yaml
@@ -38,7 +38,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -65,7 +65,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product debian12
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -167,7 +167,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -183,7 +183,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus-sanity.yaml b/.github/workflows/automatus-sanity.yaml
index c5e958fb7d5f..86cb6a551f5d 100644
--- a/.github/workflows/automatus-sanity.yaml
+++ b/.github/workflows/automatus-sanity.yaml
@@ -22,7 +22,7 @@ jobs:
           fetch-depth: 0
       - name: Build product
         run: ./build_product fedora --debug
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: ${{ env.DATASTREAM }}
           path: build/${{ env.DATASTREAM }}
diff --git a/.github/workflows/automatus-sle15.yaml b/.github/workflows/automatus-sle15.yaml
index a0d833cec24b..3697b914c18d 100644
--- a/.github/workflows/automatus-sle15.yaml
+++ b/.github/workflows/automatus-sle15.yaml
@@ -48,7 +48,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -66,7 +66,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product sle15
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -159,7 +159,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -175,7 +175,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus-ubi8.yaml b/.github/workflows/automatus-ubi8.yaml
index 411e2ea05700..bb9de93a0821 100644
--- a/.github/workflows/automatus-ubi8.yaml
+++ b/.github/workflows/automatus-ubi8.yaml
@@ -40,7 +40,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -58,7 +58,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product rhel8 --derivatives
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -151,7 +151,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -167,7 +167,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml
index e43f19b9b6b0..eedf396c3f66 100644
--- a/.github/workflows/automatus-ubuntu2204.yaml
+++ b/.github/workflows/automatus-ubuntu2204.yaml
@@ -38,7 +38,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -65,7 +65,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product ubuntu2204
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -167,7 +167,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -183,7 +183,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus-ubuntu2404.yml b/.github/workflows/automatus-ubuntu2404.yml
index 95a264ffb007..459d23e469cb 100644
--- a/.github/workflows/automatus-ubuntu2404.yml
+++ b/.github/workflows/automatus-ubuntu2404.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -58,7 +58,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product ubuntu2404 --datastream-only
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
@@ -143,7 +143,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -159,7 +159,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/automatus.yaml b/.github/workflows/automatus.yaml
index ad3c7dcc319b..313f9d403016 100644
--- a/.github/workflows/automatus.yaml
+++ b/.github/workflows/automatus.yaml
@@ -38,7 +38,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: output.json
@@ -56,7 +56,7 @@ jobs:
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product ${{steps.product.outputs.prop}} --datastream-only
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ssg-${{steps.product.outputs.prop}}-ds.xml
@@ -151,7 +151,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_bash
           path: logs_bash/
@@ -167,7 +167,7 @@ jobs:
         continue-on-error: true
       - name: Upload logs in case of failure
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: logs_ansible
           path: logs_ansible/
diff --git a/.github/workflows/compare-ds-build.yml b/.github/workflows/compare-ds-build.yml
index 55eafa329eca..a57473e1bf4d 100644
--- a/.github/workflows/compare-ds-build.yml
+++ b/.github/workflows/compare-ds-build.yml
@@ -61,7 +61,7 @@ jobs:
                     tar -czvf artifacts.tar.gz artifacts
             -   name: Upload artifacts
                 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-                uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+                uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
                 with:
                     name: pr-artifacts-${{ github.event.pull_request.head.sha }}
                     retention-days: 1
@@ -74,7 +74,7 @@ jobs:
                     echo "${{ github.base_ref }}" > pr-info/base-branch.txt
                     echo "${{ steps.fork_point.outputs.FORK_POINT }}" > pr-info/fork-point.txt
             -   name: Upload PR info
-                uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+                uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
                 with:
                     name: pr-info
                     retention-days: 1
diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml
index 8fd1cd5d06b7..145ef3168fe9 100644
--- a/.github/workflows/gh-pages.yaml
+++ b/.github/workflows/gh-pages.yaml
@@ -63,7 +63,7 @@ jobs:
           git-config-name: openscap-ci
           git-config-email: openscap-ci@gmail.com
       - name: Upload artifact if the event is pull request
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: built-content
diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml
index de6dd8846a79..26b58412d74a 100644
--- a/.github/workflows/nightly_build.yml
+++ b/.github/workflows/nightly_build.yml
@@ -32,7 +32,7 @@ jobs:
                 run: ninja -j$(nproc) package_source
                 working-directory: ./build
             -   name: 'Upload Artifact'
-                uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+                uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
                 with:
                   name: Nightly Build
                   path: |
diff --git a/.github/workflows/ocp-test-profiles.yaml b/.github/workflows/ocp-test-profiles.yaml
index d294af997921..5da0a67da393 100644
--- a/.github/workflows/ocp-test-profiles.yaml
+++ b/.github/workflows/ocp-test-profiles.yaml
@@ -40,7 +40,7 @@ jobs:
       - name: Test if there are no content changes
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" ctf-output.json)" >> $GITHUB_OUTPUT
         id: ctf
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ctf-output
diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml
index 4771f2b008b7..a61ee372cbb1 100644
--- a/.github/workflows/srg-mapping-table.yaml
+++ b/.github/workflows/srg-mapping-table.yaml
@@ -62,33 +62,33 @@ jobs:
         run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r2.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
         env:
           PYTHONPATH: ${{ github.workspace }}
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-rhel9.xlsx
           path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.xlsx
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-rhel9.html
           path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.html
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-rhel10.xlsx
           path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.xlsx
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-rhel10.html
           path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.html
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-ocp4.xlsx
           path: ${{ env.PAGES_DIR }}/srg-mapping-ocp4.xlsx
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
           name: srg-mapping-ocp4.html

From ca678fa765d6f0b91bd23223cf2cd6e01caae48b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 26 Feb 2026 13:54:16 +0100
Subject: [PATCH 211/265] Check for PQC GPG key only on RHEL 10.1 and newer

The redhat-release RPM package in RHEL 10.0 won't contain the
postquantum OpenGPG key. This key will be present in RHEL 10.1
and newer.

Addressing:
Failing rule `ensure_redhat_gpgkey_installed` in multiple contest
tests `/hardening/host-os/oscap` on RHEL 10.0.
---
 .../ansible/shared.yml                        | 18 +++++++++++--
 .../bash/shared.sh                            | 13 ++++++----
 .../oval/shared.xml                           | 26 +++++++++++++++++--
 3 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 8080f0c6ced3..750852c52a4f 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -40,13 +40,27 @@
 
 {{% endif %}}
 
-- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (without PQC)"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '<')
+
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (with PQC)"
   ansible.builtin.set_fact:
     gpg_valid_fingerprints:
     - "{{{ release_key_fingerprint }}}"
     - "{{{ auxiliary_key_fingerprint }}}"
-{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
     - "{{{ pqc_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '>=')
+{{% else %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
 {{% endif %}}
 
 - name: "{{{ rule_title }}}: Import RedHat GPG key"
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
index 53931cd4009d..5fdb792b79cd 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -25,13 +25,16 @@ then
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
+  # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
+    if {{{ bash_os_linux_conditional("rhel", expected_ver="10.1", op=">=") | trim }}}
+    then
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    else
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    fi
 {{% else %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
 {{% endif %}}
-      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
-      rpm --import "${REDHAT_RELEASE_KEY}"
-    }
   fi
 fi
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
index 6871feba83b3..52461f678900 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -13,8 +13,13 @@
           <criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed"
           test_ref="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-          <criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed"
-          test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" />
+          <criteria comment="If RHEL is 10.1 or newer then PQC key must be installed" operator="OR">
+            <criterion comment="RHEL is older than 10.1" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" negate="true" />
+            <criteria comment="RHEL is 10.1 or newer AND PQC is installed" operator="AND">
+              <criterion comment="RHEL is 10.1 or newer" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
+              <criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed" test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" />
+            </criteria>
+          </criteria>
 {{% endif %}}
       </criteria>
       {{%- if centos_major_version %}}
@@ -88,5 +93,22 @@
   </linux:rpminfo_state>
   {{%- endif %}}
 
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+  <ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release is greater than or equal 10.1" id="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
+    <ind:state state_ref="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=["']?([\w.]+)["']?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
+    <ind:subexpression operation="greater than or equal" datatype="version">10.1</ind:subexpression>
+  </ind:textfilecontent54_state>
+{{% endif %}}
+
 </def-group>
 {{% endif %}}

From b136bacf1b7c4806789788aec8b65f4afc5c7664 Mon Sep 17 00:00:00 2001
From: Arden97 <arden2545@gmail.com>
Date: Fri, 27 Feb 2026 11:15:13 +0100
Subject: [PATCH 212/265] add libreswan to platform for
 configure_libreswan_crypto_policy

---
 .../integrity/crypto/configure_libreswan_crypto_policy/rule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
index 8a14c3de7d55..f568fb714d9f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -67,4 +67,4 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'
 
-platform: system_with_kernel
+platform: system_with_kernel and package[libreswan]

From 248b1d76a8ddf545229553199a6fd8f67c6e1b0a Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 27 Feb 2026 14:09:03 +0000
Subject: [PATCH 213/265] Fix appending of ntp rule

Signed-off-by: Alan Moore <alan.moore@canonical.com>
---
 .../ntp/chronyd_configure_pool_and_server/bash/shared.sh        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh
index b4a1687cde49..144cf95c553a 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh
@@ -5,6 +5,8 @@
 
 config_file="{{{ chrony_conf_path }}}"
 
+sed -i -e '$a\' "$config_file"
+
 # Check and configigure servers in {{{ chrony_conf_path }}}
 IFS="," read -a SERVERS <<< $var_multiple_time_servers
 for srv in "${SERVERS[@]}"

From a20943a5392edf68d275330ca66dd279e2218693 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 27 Feb 2026 17:50:19 +0100
Subject: [PATCH 214/265] Add missing assignment

---
 shared/templates/file_owner/tests/incorrect_owner.fail.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/shared/templates/file_owner/tests/incorrect_owner.fail.sh b/shared/templates/file_owner/tests/incorrect_owner.fail.sh
index 4192e8b2b01d..7ec65d4b981b 100644
--- a/shared/templates/file_owner/tests/incorrect_owner.fail.sh
+++ b/shared/templates/file_owner/tests/incorrect_owner.fail.sh
@@ -2,7 +2,10 @@
 {{%- if NO_REMEDIATION %}}
 # remediation = none
 {{%- endif %}}
+
 useradd testuser_123
+
+{{% set OWNERS=UID_OR_NAME.split("|") %}}
 {{%- for own in OWNERS %}}
 id "{{{ own }}}" &>/dev/null || useradd {{{ own }}}
 {{%- endfor %}}

From 6b94de4c7c6e19142a4cab93fae7ec224739df5f Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 27 Feb 2026 18:00:51 +0100
Subject: [PATCH 215/265] Fix file_owner OVAL to check exact username

---
 shared/templates/file_owner/oval.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index 30d53803c7e0..75a2a491a6be 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -22,7 +22,7 @@
   {{%- else %}}
   {{%- for own in OWNERS %}}
   <unix:password_object id="object_file_owner{{{ FILEID }}}_{{{ own }}}_uid" version="1">
-    <unix:username operation="pattern match">{{{ own }}}</unix:username>
+    <unix:username operation="equals">{{{ own }}}</unix:username>
   </unix:password_object>
   <local_variable id="var_file_owner{{{ FILEID }}}_{{{ own }}}_uid" comment="Retrieve the uid of {{{ own }}}" datatype="int" version="1">
     <object_component item_field="user_id" object_ref="object_file_owner{{{ FILEID }}}_{{{ own }}}_uid" />

From 431fc7bde16a07120d25b628e8ca134e1763818c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 02:43:46 +0000
Subject: [PATCH 216/265] Bump mikepenz/release-changelog-builder-action from
 6.1.0 to 6.1.1

Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases)
- [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/6faf020194b7c8853f9e55c4fd92e40b02122a04...a34a8009a9588bb86b02a873cf592440e96a5da8)

---
updated-dependencies:
- dependency-name: mikepenz/release-changelog-builder-action
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index cf3ef4c477a7..c42b14e96f7d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -39,7 +39,7 @@ jobs:
           GITHUB_REF: ${{ github.ref }}
       - name: Build Changelog
         id: build_changelog
-        uses: mikepenz/release-changelog-builder-action@6faf020194b7c8853f9e55c4fd92e40b02122a04 # v4
+        uses: mikepenz/release-changelog-builder-action@a34a8009a9588bb86b02a873cf592440e96a5da8 # v4
         with:
           configuration: .github/workflows/release-changelog.json
         env:

From a5b4da09e53ac25abeb002adab3cb29c0fd674ca Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 3 Mar 2026 09:35:10 +0100
Subject: [PATCH 217/265] ensure:redhat_gpgkey_installed: in ansible
 remediation use direct command instead of rpmkey Ansible module

The module is currently not working when encountering keys with PQC signatures

Relevant issue: https://github.com/ansible/ansible/issues/86157
---
 .../ensure_redhat_gpgkey_installed/ansible/shared.yml         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 750852c52a4f..514841546662 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -64,9 +64,7 @@
 {{% endif %}}
 
 - name: "{{{ rule_title }}}: Import RedHat GPG key"
-  ansible.builtin.rpm_key:
-    state: present
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
    - gpg_key_directory_permission.stat.mode <= '0755'
    - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0

From 299faecb04b464d3c5ca7c94f0faf1fa71fb36b0 Mon Sep 17 00:00:00 2001
From: Arden97 <arden2545@gmail.com>
Date: Tue, 3 Mar 2026 14:43:32 +0100
Subject: [PATCH 218/265] clear entries before logind_session_timeout
 remediation

---
 .../logind_session_timeout/ansible/shared.yml     | 15 +++++++++++++++
 .../logind_session_timeout/bash/shared.sh         |  5 +++++
 2 files changed, 20 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
index 8a2608c93e68..bb1894435ae8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
@@ -6,7 +6,22 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
+- name: Remove StopIdleSessionSec from main config
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    regexp: '^\s*StopIdleSessionSec\s*='
+    state: absent
+
 {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
+
+- name: Remove StopIdleSessionSec from drop-in files
+  ansible.builtin.lineinfile:
+    path: "{{ item }}"
+    regexp: '^\s*StopIdleSessionSec\s*='
+    state: absent
+  with_fileglob:
+    - /etc/systemd/logind.conf.d/*.conf
+
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
index cba93b6e8891..ea7d0c1caea4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -2,10 +2,15 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
+# Remove StopIdleSessionSec from main config
+{{{ lineinfile_absent("/etc/systemd/logind.conf", "^\s*StopIdleSessionSec\s*=", insensitive=true, rule_id=rule_id) }}}
+
 {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 mkdir -p "/etc/systemd/logind.conf.d/"
+# remove StopIdleSessionSec from drop-in files
+{{{ lineinfile_absent_in_directory("/etc/systemd/logind.conf.d", "^\s*StopIdleSessionSec\s*=", insensitive=true, filename_glob="*.conf") | indent(4) }}}
 {{% else %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
 {{% endif %}}

From adf2b37504afc017397b67d79da4a0df6f2b3bcd Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 3 Mar 2026 10:46:28 -0600
Subject: [PATCH 219/265] Adjust RHEL 8 and RHEL 9 kickstarts to fit in 20 GB

---
 .../ssg-rhel8-anssi_bp28_enhanced-ks.cfg       | 18 +++++++++---------
 .../kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 18 +++++++++---------
 .../ssg-rhel8-anssi_bp28_intermediary-ks.cfg   | 18 +++++++++---------
 .../ssg-rhel9-anssi_bp28_enhanced-ks.cfg       | 18 +++++++++---------
 .../kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg | 18 +++++++++---------
 .../ssg-rhel9-anssi_bp28_intermediary-ks.cfg   | 18 +++++++++---------
 .../ssg-rhel9-ccn_intermediate-ks.cfg          |  8 ++++----
 7 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 1b95e71705f9..069855e80d26 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 461459e5d2bd..3477225767b6 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -123,17 +123,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 9080117a63c3..5789b94da59d 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -81,7 +81,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -96,15 +96,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -119,17 +119,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
index 5b170c0a635f..48dbcf396ce8 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,noexec,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
index 7cb225c2da56..bbb3a2cadf90 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -122,17 +122,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
index 4feee55f0f8c..d5649e10ece3 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
index 263be16f4566..73e367ce22dc 100644
--- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
@@ -94,7 +94,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /home Located On Separate Partition
 logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
@@ -111,17 +111,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap

From a8098da86255ff21c8fa354ef85332a0f5acc59c Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 3 Mar 2026 15:33:04 -0600
Subject: [PATCH 220/265] Move to service_dnsmasq_disabled for CIS in RHEL

Remove the package was causing issues in installs
---
 products/rhel10/controls/cis_rhel10.yml | 2 ++
 products/rhel8/controls/cis_rhel8.yml   | 2 ++
 products/rhel9/controls/cis_rhel9.yml   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 8269196f2993..f6abf020f44a 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -817,6 +817,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index cbe5d4d6454e..57ff2e16abc4 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -860,6 +860,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index f73fbd1f6d79..2ded1b128c92 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -819,6 +819,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.6

From 5702c769f5ba933bf495aa37bbd4d230a0009b17 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 4 Mar 2026 02:43:28 +0000
Subject: [PATCH 221/265] Bump tj-actions/changed-files from 47.0.4 to 47.0.5

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.4 to 47.0.5.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/7dee1b0c1557f278e5c7dc244927139d78c0e22a...22103cc46bda19c2b464ffe86db46df6922fd323)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-version: 47.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/sync-cac-oscal.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-cac-oscal.yml b/.github/workflows/sync-cac-oscal.yml
index 7b7def566038..b79b752ccb68 100644
--- a/.github/workflows/sync-cac-oscal.yml
+++ b/.github/workflows/sync-cac-oscal.yml
@@ -73,7 +73,7 @@ jobs:
       # Step 6: Get changed files and detect updates
       - name: Get changed files
         if: ${{ env.SKIP == 'false' }}
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         id: changed-files
         with:
           path: "cac-content"

From 9ea95d55bf6e3260373443c1855b4080aca64e47 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 4 Mar 2026 12:45:25 +0100
Subject: [PATCH 222/265] update profile stability tests

---
 tests/data/profile_stability/rhel10/cis.profile                | 2 +-
 tests/data/profile_stability/rhel10/cis_server_l1.profile      | 2 +-
 tests/data/profile_stability/rhel10/cis_workstation_l1.profile | 2 +-
 tests/data/profile_stability/rhel10/cis_workstation_l2.profile | 2 +-
 tests/data/profile_stability/rhel8/cis.profile                 | 2 +-
 tests/data/profile_stability/rhel8/cis_server_l1.profile       | 2 +-
 tests/data/profile_stability/rhel8/cis_workstation_l1.profile  | 2 +-
 tests/data/profile_stability/rhel8/cis_workstation_l2.profile  | 2 +-
 tests/data/profile_stability/rhel9/cis.profile                 | 2 +-
 tests/data/profile_stability/rhel9/cis_server_l1.profile       | 2 +-
 tests/data/profile_stability/rhel9/cis_workstation_l1.profile  | 2 +-
 tests/data/profile_stability/rhel9/cis_workstation_l2.profile  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index acb21b876b66..be281650fc10 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -369,6 +368,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 1a8d4a413244..40d910b58ee9 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -226,7 +226,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -262,6 +261,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 63186a34c258..f2f820c05c60 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -222,7 +222,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -253,6 +252,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 221ffac17557..68ed725b2d73 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -365,6 +364,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 40ef7718866d..f17b30ec001e 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -376,6 +375,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index c186914d253b..8acdac5b799c 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -237,7 +237,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -279,6 +278,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index f53d2e0dd714..3a115c19fbf6 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -234,7 +234,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -271,6 +270,7 @@ rsyslog_nolisten
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index f43c7d9ea9b5..c7700c1f700b 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -372,6 +371,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 65f2ddc07f7e..398d9f9c3132 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -339,6 +338,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index ac83e2c0a321..549ae2ca45b2 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -201,7 +201,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -238,6 +237,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index fb685c741479..fc3d0e7e594a 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -198,7 +198,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -230,6 +229,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index 3fc4bebf0c4a..ac08a0eb2e05 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -335,6 +334,7 @@ service_autofs_disabled
 service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled

From 418dd712864aa83c508d72fcb0e3c0b1523e1cb5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 4 Mar 2026 12:52:40 +0100
Subject: [PATCH 223/265] add cces to service_dnsmasq_disabled

---
 linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml | 3 +++
 shared/references/cce-redhat-avail.txt                        | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
index b030a645a893..51fe990a7a8f 100644
--- a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
+++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-90720-4
+    cce@rhel9: CCE-90721-2
+    cce@rhel10: CCE-90722-0
     cce@sle15: CCE-92602-2
 
 platform: system_with_kernel
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 19129c0f0065..3681684fcdf0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2341,6 +2341,3 @@ CCE-90706-3
 CCE-90707-1
 CCE-90710-5
 CCE-90715-4
-CCE-90720-4
-CCE-90721-2
-CCE-90722-0

From f39db0b9aa60af2c3b278fd7b8dea4607069d278 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 4 Mar 2026 12:57:11 +0100
Subject: [PATCH 224/265] add package_dnsmasq_removed to default profiles for
 rhels

---
 products/rhel10/profiles/default.profile | 1 +
 products/rhel8/profiles/default.profile  | 1 +
 products/rhel9/profiles/default.profile  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile
index 4d9b46867bc6..3be6b3d8376a 100644
--- a/products/rhel10/profiles/default.profile
+++ b/products/rhel10/profiles/default.profile
@@ -45,3 +45,4 @@ selections:
     - file_etc_security_opasswd
     - sshd_use_strong_macs
     - configure_ssh_crypto_policy
+    - package_dnsmasq_removed
diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile
index 6865a9615f79..7e7401a04ac7 100644
--- a/products/rhel8/profiles/default.profile
+++ b/products/rhel8/profiles/default.profile
@@ -738,3 +738,4 @@ selections:
     - configure_openssl_tls_crypto_policy
     - sshd_use_approved_kex_ordered_stig
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed
diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
index 876e5516b32a..f817322dbdab 100644
--- a/products/rhel9/profiles/default.profile
+++ b/products/rhel9/profiles/default.profile
@@ -592,3 +592,4 @@ selections:
     - audit_rules_login_events_tallylog
     - configure_ssh_crypto_policy
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed

From 2cb6581a0c3e85018b2d9ef69e8c22718e0ac119 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 4 Mar 2026 12:29:29 +0100
Subject: [PATCH 225/265] enlarge /usr partition in bsi kickstart

---
 products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
index 47ef01e7fa56..2989a47c9225 100644
--- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
@@ -97,16 +97,16 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
 # partition_for_usr
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=3192 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
 # partition_for_opt
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128
 # Ensure /home Located On Separate Partition
 # partition_for_home
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
 # partition_for_tmp
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"

From aa233ecef0bca8d4e7a47a2e8246df3c9a2d5a64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 5 Mar 2026 09:29:30 +0100
Subject: [PATCH 226/265] Add ensure_redhat_gpgkey_installed to RHEL 9 CIS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have discovered that after hardening a RHEL 9 system with CIS profile
people can't install any RPM packages using dnf. Originally, we thought
that the problem was caused by the recent PR
https://github.com/ComplianceAsCode/content/pull/14316 but it isn't
caused by that because the problem is reproducible also with the latest
released version 0.1.79.  The actual reason is that the profile requires
GPG checks everywhere but the GPG key isn't installed because the CIS
profile doesn't contain rule `ensure_redhat_gpgkey_installed` that would
install the GPG key. The rule is listed in the CIS RHEL9 control file
but the requirement is manual. This is a bad user experience. In CIS
Benchmark, the requirement is manual, because of GPG keys for 3rd party
repositories.  But, add the rule `ensure_redhat_gpgkey_installed` to the
profile because the requirement 1.2.1.2 adds
`ensure_gpgcheck_never_disabled` which requires GPG key checking. If the
Red Hat GPG key wouldn't be installed, people won't be able to install
any RPM package using dnf.  Therefore, we will add the rule
`ensure_redhat_gpgkey_installed` to RHEL 9 CIS.
---
 products/rhel9/controls/cis_rhel9.yml                    | 9 +++++++--
 tests/data/profile_stability/rhel9/cis.profile           | 1 +
 tests/data/profile_stability/rhel9/cis_server_l1.profile | 1 +
 .../profile_stability/rhel9/cis_workstation_l1.profile   | 1 +
 .../profile_stability/rhel9/cis_workstation_l2.profile   | 1 +
 5 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index afc2df9a3be7..d96d8ad21fed 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -361,9 +361,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is globally activated (Automated)
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 6a5d215dcd14..a2f7813238af 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -137,6 +137,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index 3592f0f99e85..fb24601f97fe 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -65,6 +65,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index d6f2aaf4a60b..799da33423e1 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -63,6 +63,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index ec0bfe8d2be8..4e0da9c5fe6a 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -137,6 +137,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

From be0be6bf776626716f44a8742084be152c9f6647 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 5 Mar 2026 11:38:48 +0100
Subject: [PATCH 227/265] Add ensure_redhat_gpgkey_installed to RHEL 8 and 10
 CIS

Add rule ensure_redhat_gpgkey_installed to RHEL 8 CIS and RHEL 10 CIS profiles.
Similar to previous commit
---
 products/rhel10/controls/cis_rhel10.yml                  | 9 +++++++--
 products/rhel8/controls/cis_rhel8.yml                    | 9 +++++++--
 tests/data/profile_stability/rhel10/cis.profile          | 1 +
 .../data/profile_stability/rhel10/cis_server_l1.profile  | 1 +
 .../profile_stability/rhel10/cis_workstation_l1.profile  | 1 +
 .../profile_stability/rhel10/cis_workstation_l2.profile  | 1 +
 tests/data/profile_stability/rhel8/cis.profile           | 1 +
 tests/data/profile_stability/rhel8/cis_server_l1.profile | 1 +
 .../profile_stability/rhel8/cis_workstation_l1.profile   | 1 +
 .../profile_stability/rhel8/cis_workstation_l2.profile   | 1 +
 10 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 5873a002486d..9ab136c4be7a 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -366,9 +366,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index 9b8c5aa06bb2..69773b6030d3 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -379,9 +379,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index 2854ceaf8c8c..d59c4fb53bde 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -153,6 +153,7 @@ disable_weak_deps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index e7202ee09736..4eb3eeccf11e 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -74,6 +74,7 @@ disable_users_coredumps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 422c2734e667..ee18ebf6b8ed 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -72,6 +72,7 @@ disable_users_coredumps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 4305d8353fef..44b0fc37e7ec 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -153,6 +153,7 @@ disable_weak_deps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index d57ea698141e..bd44b63338dc 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -141,6 +141,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index 7dbac7629c95..02e03741db9a 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -72,6 +72,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index 3850f302bb71..2576b980b21d 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -70,6 +70,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index 45cd14d4e218..165fa1148947 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -141,6 +141,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

From 4bd86ef417951b9325d44e032cd4f182e27c3cf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 5 Mar 2026 11:42:41 +0100
Subject: [PATCH 228/265] Add ensure_fedora_gpgkey_installed to Fedora CIS

---
 controls/cis_fedora.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
index 8821c83a893d..b22ccfbd7f1c 100644
--- a/controls/cis_fedora.yml
+++ b/controls/cis_fedora.yml
@@ -369,9 +369,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_fedora_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)

From b3c2e7188728b67c01e419c4db2ea8702b4528df Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 5 Mar 2026 11:29:46 -0600
Subject: [PATCH 229/265] Adjust BSI and PCI DSS kickstarts

---
 products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg    |  2 +-
 .../rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg     | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
index 2989a47c9225..68a69d4d0d9c 100644
--- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
 logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var Located On Separate Partition
 # partition_for_var
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096
 # Ensure /var/log Located On Separate Partition
 # partition_for_var_log
 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
diff --git a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
index 55a0a069cac0..cbb5ce7e2dcb 100644
--- a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
@@ -78,7 +78,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -93,32 +93,32 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=5120 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # CCE-26557-9: Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26435-8: Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 # CCE-26639-5: Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096 --fsoptions="nodev"
 # CCE-26215-4: Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
 logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev"
 logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap

From 9a24260fcb0377ece7af598086184ee58c35e725 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 Mar 2026 14:50:06 +0100
Subject: [PATCH 230/265] Extend check in grub2_uefi_password for cloud images

On RHEL 8, the GRUB configuration for UEFI is normally located at
`/boot/efi/EFI/redhat`. However, in RHEL 8 cloud images (eg. AWS)
the `/boot/efi/EFI/redhat/` contains a stub pointing to
`/boot/grub2/` and the actual configuration is located at the
`/boot/grub2/` directory.

Example stub in `/boot/efi/EFI/redhat/grub.cfg`:
```
search --no-floppy --set prefix --file /boot/grub2/grub.cfg
set prefix=($prefix)/boot/grub2
configfile $prefix/grub.cfg
```

In this commit, we extend the check to account for this special
configuration of the cloud images.

Fixes: https://github.com/ComplianceAsCode/content/issues/13211
---
 .../uefi/grub2_uefi_password/oval/shared.xml  | 29 ++++++++++++++++++-
 .../grub2_uefi_password/tests/stub.fail.sh    | 12 ++++++++
 .../grub2_uefi_password/tests/stub.pass.sh    | 13 +++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 6323828071e6..c780cf69e5e1 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -4,9 +4,16 @@
 
     <criteria operator="OR">
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_password_stub" />
+        <criterion comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_boot_usercfg" />
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
-  
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
   </ind:textfilecontent54_test>
@@ -16,4 +23,24 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_password_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" id="test_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_boot_usercfg" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/user.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
new file mode 100644
index 000000000000..0673a07f6c1a
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cp "/boot/efi/EFI/redhat/user.cfg" "/boot/grub2/user.cfg"
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+rm -rf "/boot/grub2/user.cfg"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh
new file mode 100644
index 000000000000..13dd27d8aca1
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+make_grub_password

From c5347d838b09d2e6d71054ca4b87ccb34456d857 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 4 Mar 2026 11:51:04 +0100
Subject: [PATCH 231/265] Remove outdated test scenario

Remove `invalid_username.fail.sh` that configures an invalid GRUB user
name. The reason is that starting from
https://github.com/ComplianceAsCode/content/pull/8438 the rule
`grub2_uefi_password` no longer checks user names, it only checks
passwords now, no an invalid user name can't make the rule fail.
---
 .../tests/invalid_username.fail.sh                   | 12 ------------
 1 file changed, 12 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh
deleted file mode 100644
index c477fd7a9acd..000000000000
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# remediation = none
-
-. $SHARED/grub2.sh
-
-set_grub_uefi_root
-
-make_grub_password
-sed -i '/set superusers/d' /boot/grub/grub.cfg
-sed -i '/export superusers/d' /boot/grub/grub.cfg
-set_superusers "use r"

From 8a115799eb8cc61a46af5d726bec23eb0dd657f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 6 Mar 2026 09:19:18 +0100
Subject: [PATCH 232/265] Enable RHEL 8 cloud images in
 grub2_uefi_admin_username

Fixes: https://github.com/ComplianceAsCode/content/issues/13211
---
 .../grub2_uefi_admin_username/oval/shared.xml | 39 ++++++++++++++++++-
 .../tests/stub.fail.sh                        | 13 +++++++
 .../tests/stub.pass.sh                        | 13 +++++++
 3 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 07f99ff5bba8..170d6e34ab17 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -7,6 +7,15 @@
       <criterion comment="Superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg and it
             isn't root, admin, administrator nor equal to any system username"
             test_ref="test_bootloader_uefi_superuser_differ_from_other_users"/>
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_admin_username_stub" />
+        <criterion comment="Superuser is defined in {{{ grub2_boot_path }}}/grub.cfg and it
+              isn't root, admin, administrator nor equal to any system username"
+              test_ref="test_bootloader_uefi_boot_superuser_differ_from_other_users"/>
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
 
@@ -33,10 +42,36 @@
     <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
   </ind:textfilecontent54_test>
 
+{{% set superusers_regex = '^[\\s]*set[\\s]+superusers="(?i)\\b(?!(?:root|admin|administrator)\\b)(\\w+)".*\\n[\\s]*export[\\s]+superusers[\\s]*$' %}}
+
   <ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
     <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
-    <ind:pattern operation="pattern match"
-          >^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)".*\n[\s]*export[\s]+superusers[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_admin_username_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_admin_username_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_admin_username_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser
+          is defined in {{{ grub2_boot_path }}}/grub.cfg. Superuser is not
+          equal to other system account nor root, admin, administrator"
+          id="test_bootloader_uefi_boot_superuser_differ_from_other_users" version="1">
+    <ind:object object_ref="object_bootloader_uefi_boot_unique_superuser" />
+    <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_bootloader_uefi_boot_unique_superuser" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
new file mode 100644
index 000000000000..4c077fa1bb1f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "root"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh
new file mode 100644
index 000000000000..45a6bb0c61f2
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "koskic"

From c41c35586b299c394e01891df7ea583156dc52e8 Mon Sep 17 00:00:00 2001
From: taimurhafeez <taimurhafeez93@gmail.com>
Date: Fri, 6 Mar 2026 13:48:41 +0000
Subject: [PATCH 233/265] Add OCIL instructions for BIOS configuration rules

These rules configure hardware BIOS settings that vary by manufacturer
and model. While we cannot provide specific step-by-step instructions
that apply to all hardware, we now provide guidance directing users to
consult their hardware vendor documentation.

This resolves test failures in CMP-3815 where these MANUAL rules were
missing instructions:
- bios_disable_usb_boot
- wireless_disable_in_bios

These base rules generate the product-specific variants:
- rhcos4-high-master-bios-disable-usb-boot
- rhcos4-high-master-wireless-disable-in-bios
- rhcos4-high-worker-bios-disable-usb-boot
- rhcos4-high-worker-wireless-disable-in-bios

Related: https://github.com/ComplianceAsCode/compliance-operator/pull/1051
---
 .../wireless_disable_in_bios/rule.yml                  | 10 ++++++++++
 .../mounting/bios_disable_usb_boot/rule.yml            |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml
index 8514f1be0618..bf988c70fd08 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml
@@ -16,6 +16,16 @@ rationale: |-
 
 severity: unknown
 
+ocil_clause: 'wireless devices (WiFi or Bluetooth) are enabled in BIOS'
+
+ocil: |-
+    Verify that built-in wireless devices (WiFi and Bluetooth) are disabled in the system
+    boot firmware (BIOS/UEFI). The process to configure this setting varies by hardware
+    manufacturer and model. Some systems may not have wireless devices or may not provide
+    BIOS-level controls for wireless devices.
+    Consult your hardware manual or vendor documentation for specific instructions on how to
+    access the firmware setup during boot and disable wireless device support.
+
 identifiers:
     cce@rhcos4: CCE-82659-4
     cce@rhel9: CCE-89909-6
diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml
index 3af92cfa15c0..38b47b6de468 100644
--- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml
@@ -14,6 +14,14 @@ rationale: |-
 
 severity: unknown
 
+ocil_clause: 'the system allows booting from USB devices'
+
+ocil: |-
+    Verify that booting from USB devices is disabled in the system boot firmware (BIOS/UEFI).
+    The process to configure this setting varies by hardware manufacturer and model.
+    Consult your hardware manual or vendor documentation for specific instructions on how to
+    access the firmware setup during boot and disable USB boot capabilities.
+
 identifiers:
     cce@rhcos4: CCE-82662-8
     cce@rhel9: CCE-87913-0

From d065953f57bdbf919896199bc007b84039ae4738 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:55:32 +0200
Subject: [PATCH 234/265] Enable for sle16 package_kea_removed rule

---
 .../dhcp/disabling_dhcp_server/package_kea_removed/rule.yml      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
index 6acdf95eb38f..8311aa5ce764 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-87348-9
     cce@rhel10: CCE-86596-4
+    cce@sle16: CCE-96693-7
 
 {{{ complete_ocil_entry_package(package="kea") }}}
 

From 33a53a36f801d4a026038dffb0551c6cd675ce33 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:57:39 +0200
Subject: [PATCH 235/265] Enable for sle16 service_chronyd_enabled rule

---
 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 754b1bf3d189..af8540441c24 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel9: CCE-84217-9
     cce@rhel10: CCE-90511-7
     cce@sle15: CCE-92601-4
+    cce@sle16: CCE-96684-6
 
 references:
     srg: SRG-OS-000355-GPOS-00143

From 874d903350c60c6db0a34056e738c17d3ea56442 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:04:03 +0200
Subject: [PATCH 236/265] Add accounts_passwords_pam_faillock rules for sle16

---
 .../accounts_passwords_pam_faillock_deny/rule.yml                | 1 +
 .../accounts_passwords_pam_faillock_deny_root/rule.yml           | 1 +
 .../accounts_passwords_pam_faillock_interval/rule.yml            | 1 +
 .../accounts_passwords_pam_faillock_unlock_time/rule.yml         | 1 +
 4 files changed, 4 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 7212a67f9415..6f472912698a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel9: CCE-83587-6
     cce@rhel10: CCE-87388-5
     cce@sle15: CCE-85842-3
+    cce@sle16: CCE-96664-8
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index d836a170849b..fd7925a755f1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-87975-9
     cce@sle12: CCE-91468-9
     cce@sle15: CCE-91171-9
+    cce@sle16: CCE-96663-0
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index e012ebd6b3f3..8bad63e27c08 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel9: CCE-83583-5
     cce@rhel10: CCE-86672-3
     cce@sle15: CCE-91169-3
+    cce@sle16: CCE-96665-5
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index bf6799d6f0f4..faa85597accf 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel9: CCE-83588-4
     cce@rhel10: CCE-89250-5
     cce@sle15: CCE-85841-5
+    cce@sle16: CCE-96666-3
 
 references:
     cis-csc: 1,12,15,16

From 7ffd0614c6c209d3191aa4f59438590d9278bf2b Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:21:40 +0200
Subject: [PATCH 237/265] Adapt for SLE15/16
 bash_ensure_pam_module_configuration macro

---
 shared/macros/10-bash.jinja | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 8bcd4bec988c..1db802d3d50d 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -809,7 +809,7 @@ pam_file="/etc/pam.d/common-auth"
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
     {{% if  product in ['sle15', 'sle16'] %}}
     # insert before pam_unix.so
-    sed -i --follow-symlinks '/^auth.*required.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth' "$pam_file"
+    sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth' "$pam_file"
     {{% else %}}
     # insert at the top
     sed -i --follow-symlinks '/^# here are the per-package modules/i auth        required      pam_faillock.so preauth' "$pam_file"
@@ -846,6 +846,19 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
     echo 'account   required     pam_faillock.so' >> "$pam_file"
     {{% endif %}}
 fi
+
+{{% if  product in ['sle15', 'sle16'] %}}
+{{{
+    bash_ensure_pam_module_configuration(
+    '/etc/pam.d/common-auth',
+    'auth',
+    '\[success=1 default=ignore\]',
+    'pam_unix.so',
+    '',
+    '',
+    '')
+}}}
+{{% endif %}}
 {{% elif 'ubuntu' in product %}}
 conf_name=cac_faillock
 

From 3bacd093c49d9853eb35a9702f64be1bbba086ee Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:06:05 +0200
Subject: [PATCH 238/265] Add accounts_password_pam_unix_rounds_password_auth
 rule and remediations for sle16

---
 .../ansible/shared.yml                                      | 2 +-
 .../bash/shared.sh                                          | 2 +-
 .../oval/shared.xml                                         | 2 +-
 .../rule.yml                                                | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
index daf063350cb8..bf8aeb3f469c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 {{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
 {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
 {{% else %}}
 {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
index cdef1f01f94e..3bca691a411c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
 {{% elif product in ["debian12", "debian13"] %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
index e3d35e50f261..1ebd7c437550 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index f52c225f397d..f00a09c6d160 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 
 title: 'Set number of Password Hashing Rounds - password-auth'
 
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,7 @@ description: |-
     <pre>password [success=1 default=ignore] pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre>
     {{% else %}}
     <pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre>
-    
+
     The system's default number of rounds is 5000.
     {{% endif %}}
 
@@ -67,5 +67,5 @@ fixtext: |-
     {{% else %}}
     password sufficient pam_unix.so sha512 rounds=5000
     {{% endif %}}
-    
+
 srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.'

From 2e523304df5e8aa254aa80347d02b037bbc1c278 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:07:34 +0200
Subject: [PATCH 239/265] Enabe for sle16 ensure_logrotate_activated rule

---
 .../ansible/shared.yml                         | 18 ++++++++++++------
 .../ensure_logrotate_activated/bash/shared.sh  |  6 +++++-
 .../ensure_logrotate_activated/oval/shared.xml |  8 ++++++++
 .../tests/logrotate_conf_weekly.fail.sh        |  7 ++++++-
 .../logrotate_no_cron_daily_no_timer.fail.sh   |  8 +++++++-
 5 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
index f9f947d0bc79..e18fad5ddd4f 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -4,19 +4,25 @@
 # complexity = low
 # disruption = low
 
-- name: Configure daily log rotation in /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+{{% set LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" %}}
+{{% else %}}
+{{% set LOGROTATE_CONF_FILE="/etc/logrotate.conf" %}}
+{{% endif %}}
+
+- name: "Configure daily log rotation in {{{ LOGROTATE_CONF_FILE }}}"
   ansible.builtin.lineinfile:
     create: yes
-    dest: "/etc/logrotate.conf"
+    dest: {{{ LOGROTATE_CONF_FILE }}}
     regexp: '^\s*(weekly|monthly|yearly)$'
     line: "daily"
     state: present
     insertbefore: BOF
 
-- name: Make sure daily log rotation setting is not overridden in /etc/logrotate.conf
+- name: "Make sure daily log rotation setting is not overridden in {{{ LOGROTATE_CONF_FILE }}}"
   ansible.builtin.lineinfile:
     create: no
-    dest: "/etc/logrotate.conf"
+    dest: {{{ LOGROTATE_CONF_FILE }}}
     regexp: '^[\s]*(weekly|monthly|yearly)$'
     state: absent
 
@@ -39,7 +45,7 @@
     - name: Add logrotate call
       ansible.builtin.lineinfile:
         path: "/etc/cron.daily/logrotate"
-        line: '/usr/sbin/logrotate /etc/logrotate.conf'
-        regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+        line: '/usr/sbin/logrotate {{{ LOGROTATE_CONF_FILE }}}'
+        regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*{{{ LOGROTATE_CONF_FILE }}}$'
         create: yes
 {{% endif %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
index c55cd9de94a6..82446d128faa 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
@@ -1,6 +1,10 @@
 # platform = multi_platform_all
 
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE='/usr/etc/logrotate.conf'
+{{% else %}}
+LOGROTATE_CONF_FILE='/etc/logrotate.conf'
+{{% endif %}}
 {{% if 'sle' in product or product == 'slmicro5' %}}
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 {{% else %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
index fc8a7ba8688b..762e706a563d 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
@@ -25,7 +25,11 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_logrotate_conf_daily_setting" version="2">
+{{% if product == 'sle16' %}}
+    <ind:filepath>/usr/etc/logrotate.conf</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/logrotate.conf</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^\s*daily[\s#]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -37,7 +41,11 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_logrotate_conf_no_other_keyword" version="2">
+{{% if product == 'sle16' %}}
+    <ind:filepath>/usr/etc/logrotate.conf</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/logrotate.conf</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^\s*(weekly|monthly|yearly)[\s#]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
index de41c7b2844b..7e3bf2ae36ac 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
@@ -1,3 +1,8 @@
 #!/bin/bash
 
-sed -i "s/daily/weekly/" /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+sed -i "s/daily/weekly/" "${LOGROTATE_CONF_FILE}"
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
index 86b1ca86090d..9ae01cc789bd 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
@@ -2,11 +2,17 @@
 
 # packages = logrotate,crontabs
 
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+
 # disable the timer
 systemctl disable logrotate.timer || true
 
 # fix logrotate config
-sed -i "s/weekly/daily/" /etc/logrotate.conf
+sed -i "s/weekly/daily/" "${LOGROTATE_CONF_FILE}"
 
 # remove default for cron.daily
 rm -f /etc/cron.daily/logrotate

From f739b4ed72d4446ed074470228a3a2644176bb67 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:08:39 +0200
Subject: [PATCH 240/265] Enable for sle16 sysctl_net_ipv6_conf_all_autoconf
 rule

---
 .../configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
index 9488675532ca..2b6704e6c378 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88386-8
     cce@sle12: CCE-91520-7
     cce@sle15: CCE-91205-5
+    cce@sle16: CCE-96669-7
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}}
 

From 2b15582f922b59563370c18c375f7103b1efac34 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:13:32 +0200
Subject: [PATCH 241/265] Enable sysctl_net_ipv4_conf_all_drop_gratuitous_arp
 for sle16

---
 .../sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml        | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
index c3a61454b8e4..b3c83e6a668a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel8: CCE-88001-3
     cce@rhel9: CCE-89001-2
     cce@rhel10: CCE-89975-7
+    cce@sle16: CCE-96672-1
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}}
 

From e9334651d5248dd67ecfa2cb221bf71caa1e1b43 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:14:21 +0200
Subject: [PATCH 242/265] Enable for sle16 sysctl_fs_protected* rules

---
 .../system/permissions/files/sysctl_fs_protected_fifos/rule.yml  | 1 +
 .../permissions/files/sysctl_fs_protected_regular/rule.yml       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
index d21952c3300d..f6325c7cfb07 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
@@ -15,6 +15,7 @@ severity: medium
 identifiers:
     cce@rhel9: CCE-85884-5
     cce@rhel10: CCE-87125-1
+    cce@sle16: CCE-96680-4
 
 references:
     nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
index bcf733e4ad0a..9a6b3ba2e0f4 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel9: CCE-85885-2
     cce@rhel10: CCE-90354-2
+    cce@sle16: CCE-96679-6
 
 references:
     nist: CM-6(a),AC-6(1)

From 6ede34819815063dc0b4769e5325cc925fe04842 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:15:21 +0200
Subject: [PATCH 243/265] Enable for sle16 rule mount_option_tmp_noexec

---
 .../permissions/partitions/mount_option_tmp_noexec/rule.yml    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 735018892a8c..75fb0ec5f6c6 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-87095-6
     cce@sle12: CCE-91586-8
     cce@sle15: CCE-91272-5
+    cce@sle16: CCE-96696-0
     cce@slmicro5: CCE-94079-1
 
 references:
@@ -39,7 +40,7 @@ references:
     srg: SRG-OS-000368-GPOS-00154
     stigid@ol8: OL08-00-040125
 
-{{% if product == 'slmicro5' %}}
+{{% if product in ['slmicro5', 'sle16'] %}}
 platform: system_with_kernel
 {{% else %}}
 platform: mount[tmp]

From a8bb68c7f38b6f8ee94b695ab31cc8b23f6b1894 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:20:36 +0200
Subject: [PATCH 244/265] Enable sle16 specific checks and remediations for
 mount_option_tmp_noexec

---
 .../mount_option_tmp_noexec/ansible/sle16.yml | 28 +++++++++++++++++++
 .../mount_option_tmp_noexec/bash/sle16.sh     | 23 +++++++++++++++
 .../mount_option_tmp_noexec/oval/sle16.xml    | 18 ++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
new file mode 100644
index 000000000000..8dfea23acad8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
@@ -0,0 +1,28 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount'
+  ansible.builtin.lineinfile:
+    path: /usr/lib/systemd/system/tmp.mount
+    regexp: ^[\s]*Options=[\s]*.*noexec.*$
+    state: absent
+  check_mode: true
+  register: noexec_match
+
+# if no match, collect current options and add noexec
+- name: '{{{ rule_title }}} - Collect previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount
+  register: current_options
+  when:
+    - noexec_match is defined and noexec_match.found == 0
+
+
+- name: '{{{ rule_title }}} - Add noexec option to previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount
+  when:
+    - noexec_match.found == 0 and current_options is defined
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
new file mode 100644
index 000000000000..9f694b9bb9d3
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
@@ -0,0 +1,23 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+tmp_mount_file="/usr/lib/systemd/system/tmp.mount"
+
+# if already set, skip
+if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then
+    echo "noexec option already present, skipping remediation"
+    exit 0
+fi
+
+# no options set, add it
+if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then
+    echo "Options=noexec" >> ${tmp_mount_file}
+else
+  # collect currently set options
+  current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file})
+  # add noexec to current options and replace
+  sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file}
+fi
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
new file mode 100644
index 000000000000..81bec910ddfd
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
@@ -0,0 +1,18 @@
+<def-group>
+  <definition class="compliance" id="mount_option_tmp_noexec" version="1">
+    {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}}
+    <criteria>
+        <criterion comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" test_ref="test_tmp_mount_noexec_option" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" id="test_tmp_mount_noexec_option" version="1">
+    <ind:object object_ref="object_tmp_mount_noexec_option" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_tmp_mount_noexec_option" comment="Options has  noexec set in /usr/lib/systemd/system/tmp.mount" version="1">
+    <ind:filepath>/usr/lib/systemd/system/tmp.mount</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*Options=.*noexec.*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

From baa7da42f9a8d036ab0d6801dad77535dc81a21e Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:16:56 +0200
Subject: [PATCH 245/265]  Add sysctl_kernel_unprivileged_bpf_disabled and
 sysctl_kernel_yama_ptrace_scope sysctl_net_core_bpf_jit_harden rules

---
 .../sysctl_kernel_unprivileged_bpf_disabled/rule.yml             | 1 +
 .../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml        | 1 +
 .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml         | 1 +
 3 files changed, 3 insertions(+)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 53af78ce203b..d2d1e2cf9284 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-82974-7
     cce@rhel9: CCE-83957-1
     cce@rhel10: CCE-89405-5
+    cce@sle16: CCE-96676-2
 
 references:
     nist: AC-6,SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 2c6e83019b64..3a56b472e039 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-88785-1
     cce@sle12: CCE-91572-8
     cce@sle15: CCE-91262-6
+    cce@sle16: CCE-96674-7
 
 references:
     nist: SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index e05977fecfbb..d67f456472e3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-82934-1
     cce@rhel9: CCE-83966-2
     cce@rhel10: CCE-89631-6
+    cce@sle16: CCE-96674-7
 
 references:
     nist: CM-6,SC-7(10)

From ec70dbd448c3522ddbe285eab8e228d9203bedfa Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:18:18 +0200
Subject: [PATCH 246/265] Enable more rules for SLE16 ANSSI

---
 .../profiles/anssi_bp28_enhanced.profile      | 55 +++++-----------
 .../sle16/profiles/anssi_bp28_high.profile    | 59 ++----------------
 .../profiles/anssi_bp28_intermediary.profile  | 62 +++++++++----------
 .../sle16/profiles/anssi_bp28_minimal.profile | 51 +++++++++------
 4 files changed, 81 insertions(+), 146 deletions(-)

diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile
index f93536a0114c..d93e440d079a 100644
--- a/products/sle16/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle16/profiles/anssi_bp28_enhanced.profile
@@ -27,71 +27,50 @@ selections:
     - var_sudo_dedicated_group=root
     - accounts_password_pam_pwhistory_remember
     - set_password_hashing_min_rounds_logindefs
-    - '!accounts_password_pam_dcredit'
-    - '!accounts_password_pam_lcredit'
-    - '!accounts_password_pam_minclass'
-    - '!accounts_password_pam_minlen'
-    - '!accounts_password_pam_ocredit'
-    - '!accounts_password_pam_retry'
-    - '!accounts_password_pam_ucredit'
-    - '!accounts_password_pam_unix_remember'
-    - '!accounts_password_pam_unix_rounds_password_auth'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_password_pam_unix_rounds_system_auth'
-    - '!accounts_passwords_pam_faillock_deny_root'
-    - '!accounts_passwords_pam_faillock_deny'
-    - '!accounts_passwords_pam_faillock_interval'
-    - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!accounts_passwords_pam_tally2'
+    - '!aide_periodic_cron_checking'
     - '!all_apparmor_profiles_enforced'
     - '!apparmor_configured'
-    - '!audit_rules_dac_modification_fchmodat2'
-    - '!audit_rules_file_deletion_events_renameat2'
     - '!audit_rules_immutable'
-    - '!audit_rules_mac_modification_etc_selinux'
     - '!dnf-automatic_apply_updates'
     - '!dnf-automatic_security_updates_only'
     - '!enable_authselect'
     - '!ensure_almalinux_gpgkey_installed'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
-    - '!file_groupowner_etc_chrony_keys'
     - '!file_groupowner_user_cfg'
     - '!file_owner_user_cfg'
     - '!file_permissions_sudo'
     - '!file_permissions_user_cfg'
     - '!grub2_enable_apparmor'
-    - '!grub2_mds_argument'
-    - '!grub2_page_alloc_shuffle_argument'
-    - '!grub2_page_poison_argument'
-    - '!grub2_pti_argument'
-    - '!grub2_slub_debug_argument'
+    - '!kernel_config_arm64_sw_ttbr0_pan'
+    - '!kernel_config_gcc_plugin_latent_entropy'
+    - '!kernel_config_gcc_plugin_randstruct'
+    - '!kernel_config_gcc_plugin_stackleak'
+    - '!kernel_config_gcc_plugin_structleak_byref_all'
+    - '!kernel_config_gcc_plugin_structleak'
+    - '!kernel_config_legacy_vsyscall_emulate'
+    - '!kernel_config_modify_ldt_syscall'
+    - '!kernel_config_refcount_full'
+    - '!kernel_config_slab_merge_default'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
-    - '!mount_option_tmp_noexec'
     - '!no_nis_in_nsswitch'
     - '!package_apparmor_installed'
     - '!package_dnf-automatic_installed'
     - '!package_dracut-fips-aesni_installed'
-    - '!package_kea_removed'
     - '!package_pam_apparmor_installed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    - '!package_sendmail_removed'
-    - '!package_sequoia-sq_installed'
-    - '!package_talk_removed'
-    - '!package_talk-server_removed'
-    - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
-    - '!service_chronyd_enabled'
-    - '!set_password_hashing_algorithm_systemauth'
-    - '!sysctl_fs_protected_fifos'
-    - '!sysctl_fs_protected_regular'
-    - '!sysctl_kernel_unprivileged_bpf_disabled'
-    - '!sysctl_kernel_yama_ptrace_scope'
-    - '!sysctl_net_core_bpf_jit_harden'
-    - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
-    - '!sysctl_net_ipv6_conf_all_autoconf'
+    - '!sebool_secure_mode_insmod'
     - '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile
index 9884a6c214f5..c0c4fd81912c 100644
--- a/products/sle16/profiles/anssi_bp28_high.profile
+++ b/products/sle16/profiles/anssi_bp28_high.profile
@@ -27,99 +27,50 @@ selections:
     - var_sudo_dedicated_group=root
     - accounts_password_pam_pwhistory_remember
     - set_password_hashing_min_rounds_logindefs
-    - '!accounts_password_pam_dcredit'
-    - '!accounts_password_pam_lcredit'
-    - '!accounts_password_pam_minclass'
-    - '!accounts_password_pam_minlen'
-    - '!accounts_password_pam_ocredit'
-    - '!accounts_password_pam_retry'
-    - '!accounts_password_pam_ucredit'
-    - '!accounts_password_pam_unix_remember'
-    - '!accounts_password_pam_unix_rounds_password_auth'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_password_pam_unix_rounds_system_auth'
-    - '!accounts_passwords_pam_faillock_deny_root'
-    - '!accounts_passwords_pam_faillock_deny'
-    - '!accounts_passwords_pam_faillock_interval'
-    - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!accounts_passwords_pam_tally2'
     - '!aide_periodic_cron_checking'
     - '!all_apparmor_profiles_enforced'
     - '!apparmor_configured'
-    - '!audit_rules_dac_modification_fchmodat2'
-    - '!audit_rules_file_deletion_events_renameat2'
     - '!audit_rules_immutable'
-    - '!audit_rules_mac_modification_etc_selinux'
     - '!dnf-automatic_apply_updates'
     - '!dnf-automatic_security_updates_only'
     - '!enable_authselect'
     - '!ensure_almalinux_gpgkey_installed'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
-    - '!file_groupowner_etc_chrony_keys'
     - '!file_groupowner_user_cfg'
     - '!file_owner_user_cfg'
     - '!file_permissions_sudo'
     - '!file_permissions_user_cfg'
     - '!grub2_enable_apparmor'
-    - '!grub2_mds_argument'
-    - '!grub2_page_alloc_shuffle_argument'
-    - '!grub2_page_poison_argument'
-    - '!grub2_pti_argument'
-    - '!grub2_slub_debug_argument'
     - '!kernel_config_arm64_sw_ttbr0_pan'
-    - '!kernel_config_bug_on_data_corruption'
-    - '!kernel_config_debug_wx'
-    - '!kernel_config_fortify_source'
     - '!kernel_config_gcc_plugin_latent_entropy'
     - '!kernel_config_gcc_plugin_randstruct'
     - '!kernel_config_gcc_plugin_stackleak'
     - '!kernel_config_gcc_plugin_structleak_byref_all'
     - '!kernel_config_gcc_plugin_structleak'
-    - '!kernel_config_hardened_usercopy_fallback'
-    - '!kernel_config_hardened_usercopy'
     - '!kernel_config_legacy_vsyscall_emulate'
-    - '!kernel_config_legacy_vsyscall_none'
-    - '!kernel_config_legacy_vsyscall_xonly'
     - '!kernel_config_modify_ldt_syscall'
-    - '!kernel_config_page_poisoning'
     - '!kernel_config_refcount_full'
-    - '!kernel_config_sched_stack_end_check'
-    - '!kernel_config_slab_freelist_hardened'
-    - '!kernel_config_slab_freelist_random'
     - '!kernel_config_slab_merge_default'
-    - '!kernel_config_stackprotector_strong'
-    - '!kernel_config_stackprotector'
-    - '!kernel_config_strict_kernel_rwx'
-    - '!kernel_config_strict_module_rwx'
-    - '!kernel_config_vmap_stack'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
-    - '!mount_option_tmp_noexec'
     - '!no_nis_in_nsswitch'
     - '!package_apparmor_installed'
     - '!package_dnf-automatic_installed'
     - '!package_dracut-fips-aesni_installed'
-    - '!package_kea_removed'
     - '!package_pam_apparmor_installed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    - '!package_sendmail_removed'
-    - '!package_sequoia-sq_installed'
-    - '!package_talk_removed'
-    - '!package_talk-server_removed'
-    - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
     - '!sebool_secure_mode_insmod'
-    - '!service_chronyd_enabled'
-    - '!set_password_hashing_algorithm_systemauth'
-    - '!sysctl_fs_protected_fifos'
-    - '!sysctl_fs_protected_regular'
-    - '!sysctl_kernel_unprivileged_bpf_disabled'
-    - '!sysctl_kernel_yama_ptrace_scope'
-    - '!sysctl_net_core_bpf_jit_harden'
-    - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
-    - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile
index dd68326e7307..5fbf1d3ee013 100644
--- a/products/sle16/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle16/profiles/anssi_bp28_intermediary.profile
@@ -27,56 +27,50 @@ selections:
     - var_sudo_dedicated_group=root
     - accounts_password_pam_pwhistory_remember
     - set_password_hashing_min_rounds_logindefs
-    - '!accounts_password_pam_dcredit'
-    - '!accounts_password_pam_lcredit'
-    - '!accounts_password_pam_minclass'
-    - '!accounts_password_pam_minlen'
-    - '!accounts_password_pam_ocredit'
-    - '!accounts_password_pam_retry'
-    - '!accounts_password_pam_ucredit'
-    - '!accounts_password_pam_unix_remember'
-    - '!accounts_password_pam_unix_rounds_password_auth'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_password_pam_unix_rounds_system_auth'
-    - '!accounts_passwords_pam_faillock_deny_root'
-    - '!accounts_passwords_pam_faillock_deny'
-    - '!accounts_passwords_pam_faillock_interval'
-    - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!accounts_passwords_pam_tally2'
+    - '!aide_periodic_cron_checking'
+    - '!all_apparmor_profiles_enforced'
+    - '!apparmor_configured'
+    - '!audit_rules_immutable'
     - '!dnf-automatic_apply_updates'
     - '!dnf-automatic_security_updates_only'
     - '!enable_authselect'
     - '!ensure_almalinux_gpgkey_installed'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
-    - '!file_groupowner_etc_chrony_keys'
-    - '!grub2_mds_argument'
-    - '!grub2_page_alloc_shuffle_argument'
-    - '!grub2_page_poison_argument'
-    - '!grub2_pti_argument'
-    - '!grub2_slub_debug_argument'
+    - '!file_groupowner_user_cfg'
+    - '!file_owner_user_cfg'
+    - '!file_permissions_sudo'
+    - '!file_permissions_user_cfg'
+    - '!grub2_enable_apparmor'
+    - '!kernel_config_arm64_sw_ttbr0_pan'
+    - '!kernel_config_gcc_plugin_latent_entropy'
+    - '!kernel_config_gcc_plugin_randstruct'
+    - '!kernel_config_gcc_plugin_stackleak'
+    - '!kernel_config_gcc_plugin_structleak_byref_all'
+    - '!kernel_config_gcc_plugin_structleak'
+    - '!kernel_config_legacy_vsyscall_emulate'
+    - '!kernel_config_modify_ldt_syscall'
+    - '!kernel_config_refcount_full'
+    - '!kernel_config_slab_merge_default'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
-    - '!mount_option_tmp_noexec'
     - '!no_nis_in_nsswitch'
+    - '!package_apparmor_installed'
     - '!package_dnf-automatic_installed'
-    - '!package_kea_removed'
+    - '!package_dracut-fips-aesni_installed'
+    - '!package_pam_apparmor_installed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    - '!package_sendmail_removed'
-    - '!package_sequoia-sq_installed'
-    - '!package_talk_removed'
-    - '!package_talk-server_removed'
-    - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
-    - '!set_password_hashing_algorithm_systemauth'
-    - '!sysctl_fs_protected_fifos'
-    - '!sysctl_fs_protected_regular'
-    - '!sysctl_kernel_unprivileged_bpf_disabled'
-    - '!sysctl_kernel_yama_ptrace_scope'
-    - '!sysctl_net_core_bpf_jit_harden'
-    - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
-    - '!sysctl_net_ipv6_conf_all_autoconf'
+    - '!sebool_secure_mode_insmod'
     - '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile
index 0fbb44696a92..441229a07086 100644
--- a/products/sle16/profiles/anssi_bp28_minimal.profile
+++ b/products/sle16/profiles/anssi_bp28_minimal.profile
@@ -27,39 +27,50 @@ selections:
     - var_sudo_dedicated_group=root
     - accounts_password_pam_pwhistory_remember
     - set_password_hashing_min_rounds_logindefs
-    - '!accounts_password_pam_dcredit'
-    - '!accounts_password_pam_lcredit'
-    - '!accounts_password_pam_minclass'
-    - '!accounts_password_pam_minlen'
-    - '!accounts_password_pam_ocredit'
-    - '!accounts_password_pam_retry'
-    - '!accounts_password_pam_ucredit'
-    - '!accounts_password_pam_unix_remember'
-    - '!accounts_password_pam_unix_rounds_password_auth'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_password_pam_unix_rounds_system_auth'
-    - '!accounts_passwords_pam_faillock_deny_root'
-    - '!accounts_passwords_pam_faillock_deny'
-    - '!accounts_passwords_pam_faillock_interval'
-    - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!accounts_passwords_pam_tally2'
+    - '!aide_periodic_cron_checking'
+    - '!all_apparmor_profiles_enforced'
+    - '!apparmor_configured'
+    - '!audit_rules_immutable'
     - '!dnf-automatic_apply_updates'
     - '!dnf-automatic_security_updates_only'
     - '!enable_authselect'
     - '!ensure_almalinux_gpgkey_installed'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!file_groupowner_user_cfg'
+    - '!file_owner_user_cfg'
+    - '!file_permissions_sudo'
+    - '!file_permissions_user_cfg'
+    - '!grub2_enable_apparmor'
+    - '!kernel_config_arm64_sw_ttbr0_pan'
+    - '!kernel_config_gcc_plugin_latent_entropy'
+    - '!kernel_config_gcc_plugin_randstruct'
+    - '!kernel_config_gcc_plugin_stackleak'
+    - '!kernel_config_gcc_plugin_structleak_byref_all'
+    - '!kernel_config_gcc_plugin_structleak'
+    - '!kernel_config_legacy_vsyscall_emulate'
+    - '!kernel_config_modify_ldt_syscall'
+    - '!kernel_config_refcount_full'
+    - '!kernel_config_slab_merge_default'
+    - '!ldap_client_start_tls'
+    - '!ldap_client_tls_cacertpath'
+    - '!no_nis_in_nsswitch'
+    - '!package_apparmor_installed'
     - '!package_dnf-automatic_installed'
-    - '!package_kea_removed'
+    - '!package_dracut-fips-aesni_installed'
+    - '!package_pam_apparmor_installed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    - '!package_sendmail_removed'
-    - '!package_sequoia-sq_installed'
-    - '!package_talk_removed'
-    - '!package_talk-server_removed'
-    - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
-    - '!set_password_hashing_algorithm_systemauth'
+    - '!sebool_secure_mode_insmod'
     - '!timer_dnf-automatic_enabled'

From eae3060a9e227d158154dd9c614627207082019e Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:19:37 +0200
Subject: [PATCH 247/265] Reserve for SLE16 CCE rules

---
 shared/references/cce-sle16-avail.txt | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 32b21dd878c5..26c3e6e170bd 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -419,20 +419,3 @@ CCE-96656-4
 CCE-96657-2
 CCE-96659-8
 CCE-96662-2
-CCE-96663-0
-CCE-96664-8
-CCE-96665-5
-CCE-96666-3
-CCE-96669-7
-CCE-96672-1
-CCE-96674-7
-CCE-96676-2
-CCE-96679-6
-CCE-96680-4
-CCE-96684-6
-CCE-96685-3
-CCE-96687-9
-CCE-96689-5
-CCE-96690-3
-CCE-96693-7
-CCE-96696-0

From 2aa291a5504c92c1bf0014a23d40cc3d8b6bb5dd Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 5 Mar 2026 06:12:14 +0200
Subject: [PATCH 248/265] Fix CCE conflict

---
 .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml     | 2 +-
 shared/references/cce-sle16-avail.txt                        | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index d67f456472e3..49c4d362a87a 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -17,7 +17,7 @@ identifiers:
     cce@rhel8: CCE-82934-1
     cce@rhel9: CCE-83966-2
     cce@rhel10: CCE-89631-6
-    cce@sle16: CCE-96674-7
+    cce@sle16: CCE-96656-4
 
 references:
     nist: CM-6,SC-7(10)
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 26c3e6e170bd..f0e358f3e7e6 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -415,7 +415,10 @@ CCE-96647-3
 CCE-96651-5
 CCE-96652-3
 CCE-96655-6
-CCE-96656-4
 CCE-96657-2
 CCE-96659-8
 CCE-96662-2
+CCE-96685-3
+CCE-96687-9
+CCE-96689-5
+CCE-96690-3

From e27c74dde0d078efe2de90550e090b84a1f70895 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE <samir.mouhoune@nav-timing.safrangroup.com>
Date: Mon, 23 Feb 2026 23:45:53 +0100
Subject: [PATCH 249/265] core(ssg): add product-overridable SSH client path
 properties

---
 ssg/constants.py | 2 ++
 ssg/products.py  | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/ssg/constants.py b/ssg/constants.py
index 1f4ae4a5631c..624e2571cade 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -463,6 +463,8 @@
 DEFAULT_SSHD_CONFIG_DIR = '/etc/ssh/sshd_config.d'
 DEFAULT_SSHD_HARDENING_CONFIG_BASENAME = '00-complianceascode-hardening.conf'
 DEFAULT_SSHD_SYSCONFIG_FILE = '/etc/sysconfig/sshd'
+DEFAULT_SSH_CLIENT_MAIN_CONFIG_FILE = '/etc/ssh/ssh_config'
+DEFAULT_SSH_CLIENT_CONFIG_DIR = '/etc/ssh/ssh_config.d'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
diff --git a/ssg/products.py b/ssg/products.py
index 93eaa1857708..77b110b2d298 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -21,6 +21,8 @@
                         DEFAULT_SSHD_CONFIG_DIR,
                         DEFAULT_SSHD_HARDENING_CONFIG_BASENAME,
                         DEFAULT_SSHD_SYSCONFIG_FILE,
+                        DEFAULT_SSH_CLIENT_MAIN_CONFIG_FILE,
+                        DEFAULT_SSH_CLIENT_CONFIG_DIR,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -130,6 +132,12 @@ def _get_implied_properties(existing_properties):
     if "sshd_sysconfig_file" not in existing_properties:
         result["sshd_sysconfig_file"] = DEFAULT_SSHD_SYSCONFIG_FILE
 
+    if "ssh_client_main_config_file" not in existing_properties:
+        result["ssh_client_main_config_file"] = DEFAULT_SSH_CLIENT_MAIN_CONFIG_FILE
+
+    if "ssh_client_config_dir" not in existing_properties:
+        result["ssh_client_config_dir"] = DEFAULT_SSH_CLIENT_CONFIG_DIR
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT
 

From 8e14e4325105ed41ef9f9c1ffa4e6859318c805f Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE <samir.mouhoune@nav-timing.safrangroup.com>
Date: Mon, 23 Feb 2026 23:46:02 +0100
Subject: [PATCH 250/265] rules(ssh_client): replace hardcoded ssh client paths
 with product properties

---
 .../ssh_client_rekey_limit/ansible/shared.yml |  9 ++--
 .../ssh_client_rekey_limit/bash/shared.sh     |  7 +--
 .../ssh_client_rekey_limit/oval/shared.xml    | 18 +++++---
 .../ssh_client_rekey_limit/rule.yml           | 16 ++++---
 .../bash/shared.sh                            | 12 ++---
 .../oval/shared.xml                           | 14 +++---
 .../rule.yml                                  |  3 +-
 .../bash/shared.sh                            | 12 ++---
 .../oval/shared.xml                           | 15 ++++---
 .../rule.yml                                  |  7 +--
 .../bash/shared.sh                            |  3 +-
 .../oval/shared.xml                           | 45 ++++++++++---------
 .../harden_ssh_client_crypto_policy/rule.yml  |  6 ++-
 13 files changed, 96 insertions(+), 71 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml
index 81968afeebea..7b5a91c274e7 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml
@@ -4,12 +4,15 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}}
 
-{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}}
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in ' ~ sshc_main_config, path=sshc_main_config, regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}}
 
 - name: Collect all include config files for ssh client which configure RekeyLimit
   ansible.builtin.find:
-    paths: "/etc/ssh/ssh_config.d/"
+    paths: "{{{ sshc_config_dir }}}"
     contains: '^[\s]*RekeyLimit.*$'
     patterns: "*.config"
   register: ssh_config_include_files
@@ -21,4 +24,4 @@
     state: "absent"
   loop: "{{ ssh_config_include_files.files }}"
 
-{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}}
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in ' ~ sshc_rekey_config, path=sshc_rekey_config, regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}}
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh
index 9662e8d55e4c..c50d21ab5242 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh
@@ -1,9 +1,10 @@
 # platform = multi_platform_all
 
 {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
 
 if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
   sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
@@ -15,4 +16,4 @@ for file in "$include_directory"/*.conf; do
   fi
 done
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_rekey_config, parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml
index 83c8433fb153..01f49eb6842f 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml
@@ -1,10 +1,13 @@
 
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf", rule_title=rule_title) }}}
+    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in " ~ sshc_main_config ~ " and " ~ sshc_config_dir ~ "/*.conf", rule_title=rule_title) }}}
     <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
-      <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
-      <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
+      <criterion comment="check that RekeyLimit is not configured in {{{ sshc_main_config }}}" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
+      <criterion comment="check correct RekeyLimit configuration in {{{ sshc_config_dir }}}/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
     </criteria>
   </definition>
 
@@ -22,22 +25,23 @@
   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
 
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_main_config }}}" id="test_ssh_client_rekey_limit_main_config" version="1">
      <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
-     <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+     <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
      <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_config_dir }}}/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
      <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
-     <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
+     <ind:path>{{{ sshc_config_dir }}}</ind:path>
+     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
      <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
index d9b564e17a4d..018a48cca00c 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
@@ -1,5 +1,8 @@
 documentation_complete: true
 
+{{% set sshc_main_config = ssh_client_main_config_file %}}
+{{% set sshc_config_dir = ssh_client_config_dir %}}
+{{% set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" %}}
 
 title: 'Configure session renegotiation for SSH client'
 
@@ -8,11 +11,11 @@ description: |-
     the session key is renegotiated, both in terms of
     amount of data that may be transmitted and the time
     elapsed. To decrease the default limits, put line
-    <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+    <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>{{{ sshc_rekey_config }}}</tt>.
     Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
     the <tt>include</tt> directive in the main config file
-    <tt>/etc/ssh/ssh_config</tt>. Check also other files in
-    <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+    <tt>{{{ sshc_main_config }}}</tt>. Check also other files in
+    <tt>{{{ sshc_config_dir }}}</tt> directory. Files are processed according to
     lexicographical order of file names. Make sure that there is no file
     processed before <tt>02-rekey-limit.conf</tt> containing definition of
     <tt>RekeyLimit</tt>.
@@ -37,12 +40,12 @@ ocil_clause: 'it is commented out or is not set'
 
 ocil: |-
     To check if RekeyLimit is set correctly, run the following command:
-    <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre>
+    <pre>$ sudo grep RekeyLimit {{{ sshc_config_dir }}}/*.conf</pre>
     If configured properly, output should be
-    <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+    <pre>{{{ sshc_rekey_config }}}:
     RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</pre>
     Check also the main configuration file with the following command:
-    <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config</pre>
+    <pre>$ sudo grep RekeyLimit {{{ sshc_main_config }}}</pre>
     The command should not return any output.
 
 fixtext: |-
@@ -53,4 +56,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect.
 
     $ sudo systemctl restart sshd.service
-
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
index c90bd144ef7d..e8dc3188311e 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
@@ -1,14 +1,16 @@
 # platform = multi_platform_ubuntu
 
 ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr"
+{{%- set sshc_cipher_list_config = ssh_client_config_dir ~ "/00-cipher-list.conf" -%}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
+cipher_list_config="$include_directory/00-cipher-list.conf"
 
 sed -i '/^\s*[Cc]iphers.*/d' "$main_config" "$include_directory"/*.conf || true
 
-if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-cipher-list.conf; then
-  echo 'Host *' >> /etc/ssh/ssh_config.d/00-cipher-list.conf
+if ! grep -qE '^[Hh]ost\s+\*$' "$cipher_list_config"; then
+  echo 'Host *' >> "$cipher_list_config"
 fi
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-cipher-list.conf", parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_cipher_list_config, parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml
index 3d6471f483cd..6a17966e11de 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml
@@ -1,40 +1,42 @@
 {{%- if product == 'ubuntu2404' %}}
 {{%- set ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}}
 {{%- endif %}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}
     <criteria comment="the configuration is correct if it exists" operator="AND">
-      <criterion comment="Check the ciphers in /etc/ssh/ssh_config if any"
+      <criterion comment="Check the ciphers in {{{ sshc_main_config }}} if any"
         test_ref="test_{{{ rule_id }}}" />
-      <criterion comment="Check the ciphers in /etc/ssh/ssh_config.d if any"
+      <criterion comment="Check the ciphers in {{{ sshc_config_dir }}} if any"
         test_ref="test_{{{ rule_id }}}_config_dir" />
       <criterion comment="the configuration exists" test_ref="test_ciphers_present_{{{ rule_id }}}" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of ciphers setting in the /etc/ssh/ssh_config file"
+    comment="tests the value of ciphers setting in {{{ sshc_main_config }}}"
     id="test_{{{ rule_id }}}" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
-    <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+    <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
     <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of ciphers setting in the /etc/ssh/ssh_config.d file"
+    comment="tests the value of ciphers setting in {{{ sshc_config_dir }}}"
     id="test_{{{ rule_id }}}_config_dir" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1">
-    <ind:path>/etc/ssh/ssh_config.d</ind:path>
+    <ind:path>{{{ sshc_config_dir }}}</ind:path>
     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
index b390b8e81328..d5a3fd4861c7 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,13 +1,14 @@
 {{%- if product == 'ubuntu2404' %}}
 {{%- set ssh_approved_ciphers = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}}
 {{%- endif %}}
+{{% set sshc_main_config = ssh_client_main_config_file %}}
 documentation_complete: true
 
 title: 'Use Only FIPS 140-3 Validated Ciphers in SSH Client Configuration'
 
 description: |-
     Limit the ciphers to those algorithms which are FIPS-approved.
-    The following line in <tt>/etc/ssh/ssh_config</tt>
+    The following line in <tt>{{{ sshc_main_config }}}</tt>
     demonstrates use of FIPS-approved ciphers:
     {{%- if 'ubuntu' in product %}}
     <pre>Ciphers {{{ ssh_approved_ciphers }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh
index 8c4fa3715f4b..c5bef9fd205b 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh
@@ -1,14 +1,16 @@
 # platform = multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("ssh_approved_macs") }}}
+{{%- set sshc_mac_list_config = ssh_client_config_dir ~ "/00-mac-list.conf" -%}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
+mac_list_config="$include_directory/00-mac-list.conf"
 
 sed -i '/^\s*MACs.*/d' "$main_config" "$include_directory"/*.conf || true
 
-if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-mac-list.conf; then
-  echo 'Host *' >> /etc/ssh/ssh_config.d/00-mac-list.conf
+if ! grep -qE '^[Hh]ost\s+\*$' "$mac_list_config"; then
+  echo 'Host *' >> "$mac_list_config"
 fi
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-mac-list.conf", parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_mac_list_config, parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml
index be209a2537b6..a7dbbe5edee9 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml
@@ -1,11 +1,14 @@
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}
     <criteria comment="ssh is configured correctly" operator="AND">
       <criteria comment="the configuration is correct if it exists" operator="AND">
-        <criterion comment="Check the MACs in /etc/ssh/ssh_config if any"
+        <criterion comment="Check the MACs in {{{ sshc_main_config }}} if any"
           test_ref="test_{{{ rule_id }}}" />
-        <criterion comment="Check the MACs in /etc/ssh/ssh_config.d if any"
+        <criterion comment="Check the MACs in {{{ sshc_config_dir }}} if any"
           test_ref="test_{{{ rule_id }}}_config_dir" />
       </criteria>
       <criterion comment="the configuration exists" test_ref="test_MACs_present_{{{ rule_id }}}" />
@@ -13,27 +16,27 @@
   </definition>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of MACs setting in the /etc/ssh/ssh_config file"
+    comment="tests the value of MACs setting in {{{ sshc_main_config }}}"
     id="test_{{{ rule_id }}}" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
-    <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+    <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
     <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of MACs setting in the /etc/ssh/ssh_config.d file"
+    comment="tests the value of MACs setting in {{{ sshc_config_dir }}}"
     id="test_{{{ rule_id }}}_config_dir" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1">
-    <ind:path>/etc/ssh/ssh_config.d</ind:path>
+    <ind:path>{{{ sshc_config_dir }}}</ind:path>
     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
index 45de2c107a32..618ba70265e0 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
@@ -1,10 +1,12 @@
 documentation_complete: true
+{{% set sshc_main_config = ssh_client_main_config_file %}}
+{{% set sshc_config_dir = ssh_client_config_dir %}}
 
 title: 'Use Only FIPS 140-3 Validated MACs'
 
 description: |-
     Limit the MACs to those hash algorithms which are FIPS-approved.
-    The following line in <tt>/etc/ssh/ssh_config</tt>
+    The following line in <tt>{{{ sshc_main_config }}}</tt>
     demonstrates use of FIPS-approved MACs:
 
     <pre>MACs {{{ ssh_approved_macs }}}</pre>
@@ -22,11 +24,10 @@ ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algor
 ocil: |-
     Only FIPS-approved MACs should be used. To verify that only FIPS-approved
     MACs are in use, run the following command:
-    <pre>$ sudo grep -ir macs /etc/ssh/ssh_config*</pre>
+    <pre>$ sudo grep -ir macs {{{ sshc_main_config }}} {{{ sshc_config_dir }}}</pre>
     The output should contain only following MACs:
     <pre>MACs {{{ xccdf_value("ssh_approved_macs") }}}</pre>
 
 warnings:
     - general: |-
         The system needs to be rebooted for these changes to take effect.
-
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
index 61cd291a5c59..4726b0af2f62 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
@@ -1,7 +1,8 @@
 # platform = multi_platform_all
 
 #the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy
-file="/etc/ssh/ssh_config.d/02-ospp.conf"
+{{%- set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" -%}}
+file="{{{ sshc_crypto_policy_config }}}"
 echo -e "Match final all\n\
 RekeyLimit 512M 1h\n\
 GSSAPIAuthentication no\n\
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
index f1227c5ef087..8700fda2e8be 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
@@ -4,6 +4,7 @@
 #}}
 {{%- set suffix_id_default_not_overriden = "_default_not_overriden" -%}}
 {{%- set common_prefix_regex = "^Match final all(?:.*\n)*?\s*" -%}}
+{{%- set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" -%}}
 
 
 
@@ -131,43 +132,43 @@
 
 <def-group>
   <definition class="compliance" id="harden_ssh_client_crypto_policy" version="3">
-    {{{ oval_metadata("Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf", rule_title=rule_title) }}}
+    {{{ oval_metadata("Ensure the ssh client ciphers are configured correctly in " ~ sshc_crypto_policy_config, rule_title=rule_title) }}}
     <criteria comment="SSH client is configured correctly"
     operator="AND">
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs') }}}
-        {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='Match') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='RekeyLimit') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='Ciphers') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='MACs') }}}
+        {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='KexAlgorithms') }}}
     </criteria>
   </definition>
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match', separator_regex='[\s]+', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='Match', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='Match', separator_regex='[\s]+', missing_parameter_pass=false) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='Match', value='final all') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='RekeyLimit', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='RekeyLimit', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='RekeyLimit', value='512M 1h') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='GSSAPIAuthentication', value='no') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='Ciphers', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='Ciphers', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='Ciphers', value='aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='PubkeyAcceptedKeyTypes', value='ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='MACs', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='MACs', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='MACs', value='hmac-sha2-512,hmac-sha2-256') }}}
 
-  {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms', missing_parameter_pass=false) }}}
-  {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
+  {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='KexAlgorithms', missing_parameter_pass=false) }}}
+  {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='KexAlgorithms', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}}
   {{{ hsccp_oval_line_in_file_state(parameter='KexAlgorithms', value='ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1') }}}
 </def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml
index 4d50c3ceca6e..2e7e19c30ae8 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml
@@ -1,10 +1,12 @@
 documentation_complete: true
+{{% set sshc_config_dir = ssh_client_config_dir %}}
+{{% set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" %}}
 
 title: 'Harden SSH client Crypto Policy'
 
 description: |-
     Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
-    To override the system wide crypto policy for Openssh client, place a file in the <tt>/etc/ssh/ssh_config.d/</tt> so that it is loaded before the <tt>05-redhat.conf</tt>. In this case it is file named <tt>02-ospp.conf</tt> containing parameters which need to be changed with respect to the crypto policy.
+    To override the system wide crypto policy for Openssh client, place a file in the <tt>{{{ sshc_config_dir }}}</tt> directory so that it is loaded before the <tt>05-redhat.conf</tt>. In this case it is the <tt>{{{ sshc_crypto_policy_config }}}</tt> file containing parameters which need to be changed with respect to the crypto policy.
     This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
     During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.
 
@@ -28,7 +30,7 @@ ocil_clause: 'Crypto Policy for OpenSSH Client is not configured according to CC
 
 ocil: |-
     To verify if the OpenSSH Client uses defined Crypto Policy, run:
-    <pre>$ cat /etc/ssh/ssh_config.d/02-ospp.conf</pre>
+    <pre>$ cat {{{ sshc_crypto_policy_config }}}</pre>
     and verify that the line matches
     <pre>Match final all</pre>
     <pre>RekeyLimit 512M 1h</pre>

From 470ebe8581b20314c8cf57c21df244849605215b Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE <samir.mouhoune@nav-timing.safrangroup.com>
Date: Tue, 24 Feb 2026 23:05:43 +0100
Subject: [PATCH 251/265] fix(bash): preserve line break before ssh client
 crypto-policy output path

Avoid Jinja whitespace trimming that concatenated a comment and the file assignment in harden_ssh_client_crypto_policy Bash remediation. This keeps 'file=...' on its own line and fixes shellcheck SC2154 in generated fixes.
---
 .../crypto/harden_ssh_client_crypto_policy/bash/shared.sh       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
index 4726b0af2f62..bbc1f53d7c8d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = multi_platform_all
 
 #the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy
-{{%- set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" -%}}
+{{% set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" %}}
 file="{{{ sshc_crypto_policy_config }}}"
 echo -e "Match final all\n\
 RekeyLimit 512M 1h\n\

From 76bf986f41bde00eae6f4c9be7a7e6b10ac892a9 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE <samir.mouhoune@nav-timing.safrangroup.com>
Date: Tue, 24 Feb 2026 23:05:47 +0100
Subject: [PATCH 252/265] ssh_client: update product stability data and fix
 bash template newline

Update product stability references for ssh client path properties and fix Jinja whitespace trimming in the Ubuntu bash remediation template.\n\nThe template change preserves the newline between variable assignments in the generated shell script and avoids shellcheck failures.
---
 .../ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh | 2 +-
 tests/data/product_stability/alinux2.yml                        | 2 ++
 tests/data/product_stability/alinux3.yml                        | 2 ++
 tests/data/product_stability/anolis23.yml                       | 2 ++
 tests/data/product_stability/anolis8.yml                        | 2 ++
 tests/data/product_stability/debian11.yml                       | 2 ++
 tests/data/product_stability/debian12.yml                       | 2 ++
 tests/data/product_stability/debian13.yml                       | 2 ++
 tests/data/product_stability/eks.yml                            | 2 ++
 tests/data/product_stability/example.yml                        | 2 ++
 tests/data/product_stability/fedora.yml                         | 2 ++
 tests/data/product_stability/firefox.yml                        | 2 ++
 tests/data/product_stability/ocp4.yml                           | 2 ++
 tests/data/product_stability/ol7.yml                            | 2 ++
 tests/data/product_stability/ol8.yml                            | 2 ++
 tests/data/product_stability/ol9.yml                            | 2 ++
 tests/data/product_stability/openembedded.yml                   | 2 ++
 tests/data/product_stability/opensuse.yml                       | 2 ++
 tests/data/product_stability/rhcos4.yml                         | 2 ++
 tests/data/product_stability/rhel10.yml                         | 2 ++
 tests/data/product_stability/rhel8.yml                          | 2 ++
 tests/data/product_stability/rhel9.yml                          | 2 ++
 tests/data/product_stability/rhv4.yml                           | 2 ++
 tests/data/product_stability/sle12.yml                          | 2 ++
 tests/data/product_stability/sle15.yml                          | 2 ++
 tests/data/product_stability/ubuntu2204.yml                     | 2 ++
 tests/data/product_stability/ubuntu2404.yml                     | 2 ++
 27 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
index e8dc3188311e..01445b652b99 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = multi_platform_ubuntu
 
 ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr"
-{{%- set sshc_cipher_list_config = ssh_client_config_dir ~ "/00-cipher-list.conf" -%}}
+{{% set sshc_cipher_list_config = ssh_client_config_dir ~ "/00-cipher-list.conf" %}}
 
 main_config="{{{ ssh_client_main_config_file }}}"
 include_directory="{{{ ssh_client_config_dir }}}"
diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index 0722865b0d46..6c410a2d2cf1 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -39,6 +39,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index cba2bf2f34e7..91b9a49f8eb5 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -39,6 +39,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index f9689aaf8237..c48f1b9c6658 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -38,6 +38,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index e643aa9311c8..61579dcd96c8 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -38,6 +38,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index e05dfb4aedce..f598ac3aa581 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -43,6 +43,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 11
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: apt_get
 pkg_system: dpkg
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 8306137e9b8a..8c72066213f9 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -43,6 +43,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 12
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: apt_get
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 04738e3a3f61..031dd9856d7a 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -44,6 +44,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 13
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://www.debian.org/security/oval/oval-definitions-trixie.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: apt_get
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index 6ef528ecaf95..94ec7ba4b230 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -47,6 +47,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_system: rpm
 platform_package_overrides:
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index 53324adda77d..ed647b05316f 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -40,6 +40,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index a88dae3b8f08..7f236804bcfb 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -75,6 +75,8 @@ latest_version: 38
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index 80ae32c4a49f..16129e9dca76 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -38,6 +38,8 @@ grub_helper_executable: grubby
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 platform_package_overrides:
   aarch64_arch: null
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index a2d25472d7fe..5957eda9ce3d 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -147,6 +147,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_system: rpm
 platform_package_overrides:
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index db78aa4b6942..404b2d59f495 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -44,6 +44,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 7
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://linux.oracle.com/security/oval/com.oracle.elsa-ol7.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index 150eeb532ad7..6c3880c5d617 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -34,6 +34,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 8
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index d3422a65d70b..a765d43ad3f2 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -37,6 +37,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 9
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://linux.oracle.com/security/oval/com.oracle.elsa-ol9.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index 602e443be6c3..158a3b57f02d 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -51,6 +51,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index e1ce92ccdae1..188726c01e92 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -47,6 +47,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: zypper
 pkg_manager_config_file: /etc/zypp/zypper.conf
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index 612a90c8ea9e..d20e239d57d0 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -41,6 +41,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
index 56f541493d9d..fb89fbb3c2ce 100644
--- a/tests/data/product_stability/rhel10.yml
+++ b/tests/data/product_stability/rhel10.yml
@@ -47,6 +47,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 10
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index 869f366f3c5f..e2377a08651c 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -97,6 +97,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 8
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index acaaf0e4a45e..93c04da18761 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -53,6 +53,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 9
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: dnf
 pkg_manager_config_file: /etc/dnf/dnf.conf
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 4ad5097c8256..d5c4bb7f1d28 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -46,6 +46,8 @@ init_system: systemd
 login_defs_path: /etc/login.defs
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: yum
 pkg_manager_config_file: /etc/yum.conf
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index 5a49e2cb5449..6f37d82c4335 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -46,6 +46,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 12
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12-patch.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: zypper
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index d98d61efdce0..b8bc702adbe9 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -47,6 +47,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 15
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: zypper
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index 64c54eecd7ff..5a5e96f69018 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -47,6 +47,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 2204
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: apt_get
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 26934d9dbdf0..60393aadd11b 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -45,6 +45,8 @@ login_defs_path: /etc/login.defs
 major_version_ordinal: 2404
 nobody_gid: 65534
 nobody_uid: 65534
+ssh_client_config_dir: /etc/ssh/ssh_config.d
+ssh_client_main_config_file: /etc/ssh/ssh_config
 oval_feed_url: https://security-metadata.canonical.com/oval/com.ubuntu.noble.usn.oval.xml.bz2
 pam_faillock_conf_path: /etc/security/faillock.conf
 pkg_manager: apt_get

From 33824ed4c2d8f7f27f0a8bb58f153d3d90fc9ee2 Mon Sep 17 00:00:00 2001
From: Samir MOUHOUNE <samir.mouhoune@nav-timing.safrangroup.com>
Date: Fri, 27 Feb 2026 17:57:11 +0100
Subject: [PATCH 253/265] ssh: apply reviewer-requested Jinja whitespace trim
 in SSH client rule metadata

Apply whitespace-trim Jinja delimiters in SSH client rule YAML metadata where it is formatting-only and does not affect rendered remediation script behavior.

Changes:

- linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml

- linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml

No functional changes intended; this is a style/alignment update per review feedback.
---
 .../ssh_client_use_approved_ciphers_ordered_stig/rule.yml       | 2 +-
 .../ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
index d5a3fd4861c7..bc8f65cd23a0 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,7 +1,7 @@
 {{%- if product == 'ubuntu2404' %}}
 {{%- set ssh_approved_ciphers = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}}
 {{%- endif %}}
-{{% set sshc_main_config = ssh_client_main_config_file %}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
 documentation_complete: true
 
 title: 'Use Only FIPS 140-3 Validated Ciphers in SSH Client Configuration'
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
index 618ba70265e0..a3b143a1e57f 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 {{% set sshc_main_config = ssh_client_main_config_file %}}
-{{% set sshc_config_dir = ssh_client_config_dir %}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
 
 title: 'Use Only FIPS 140-3 Validated MACs'
 

From 2dada969c942b8048c3bdeaf84ce865de3010a4e Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 9 Mar 2026 21:40:05 +0200
Subject: [PATCH 254/265] Update shared/macros/10-ansible.jinja

Co-authored-by: Matthew Burket <m@tthewburket.com>
---
 shared/macros/10-ansible.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 7347a88c6775..0af85d577378 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -2418,7 +2418,7 @@ copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist
 {{%- set dir_parameter = "sshd_config_d_has_parameter" -%}}
 {{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
 
-- name: Copy default {{{ sshd_usr_config_path }}} to {{{ sshd_config_path }}}
+- name: {{{ rule_title }}} - Copy default {{{ sshd_usr_config_path }}} to {{{ sshd_config_path }}}
   ansible.builtin.copy:
     src: {{{ sshd_usr_config_path }}}
     dest: {{{ sshd_config_path }}}

From b824b4bfb86b30b338e3abb197417bad09cc09fb Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 9 Mar 2026 21:40:19 +0200
Subject: [PATCH 255/265] Update shared/macros/10-ansible.jinja

Co-authored-by: Matthew Burket <m@tthewburket.com>
---
 shared/macros/10-ansible.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 0af85d577378..18ca4a9c5d78 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -2464,7 +2464,7 @@ copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist
             insensitive='false',
             create='no',
             state='absent')|indent }}}
-    - name: "Check if the parameter {{{ parameter }}} is present in {{{ sshd_config_dir }}} and in {{{ sshd_usr_config_dir }}}"
+    - name: "{{{ rule_title }}} - Check if the parameter {{{ parameter }}} is present in {{{ sshd_config_dir }}} and in {{{ sshd_usr_config_dir }}}"
       ansible.builtin.find:
         paths: {{{ ssh_paths }}}
         recurse: 'yes'

From 8b9f0fd78c4d8e230c47883c60f04dcc9ccf3eb8 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 9 Mar 2026 21:51:48 +0200
Subject: [PATCH 256/265] Fix order of platforms RH9 before RH10

Thanks to @Mab879 for the note :bow:
---
 .../sshd_lineinfile/tests/duplicated_param_directory.pass.sh    | 2 +-
 .../sshd_lineinfile/tests/param_conflict_directory.fail.sh      | 2 +-
 .../tests/param_conflict_file_with_directory.fail.sh            | 2 +-
 .../sshd_lineinfile/tests/wrong_value_directory.fail.sh         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
index 1b94be25b086..82208603091e 100644
--- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
index 73ed7000227b..265edbc57b95 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 
 {{% if XCCDF_VARIABLE %}}
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
index 530ffdc2fb14..f9684e501973 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 {{% if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
index c9bf477b34ca..5c94854046f8 100644
--- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
 {{% if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}

From 447333e36f9a7e593dc237f70a9c52d9c5684e52 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 10 Mar 2026 14:37:08 +0000
Subject: [PATCH 257/265] Enable rule UBTU-24-200270

Signed-off-by: Alan Moore <alan.moore@canonical.com>
---
 controls/stig_ubuntu2404.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index 47c7e37b5d3c..83026b803447 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -363,6 +363,15 @@ controls:
           - account_disable_post_pw_expiration
       status: automated
 
+    - id: UBTU-24-200270
+      title: Ubuntu 24.04 LTS must audit any script or executable called by cron as root or by any privileged user.
+      levels:
+          - medium
+      rules:
+          - audit_rules_etc_cron_d
+          - audit_rules_var_spool_cron
+      status: automated
+
     - id: UBTU-24-200280
       title: Ubuntu 24.04 LTS must generate audit records for all account creations, modifications, disabling,
           and termination events that affect /etc/passwd.

From 33bfded78d9b9f26133ab8088237ba9fdd33259b Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 11 Mar 2026 09:56:47 +0000
Subject: [PATCH 258/265] Include required audit binaries for Ubuntu24.04 stig
 v1r4

Signed-off-by: Alan Moore <alan.moore@canonical.com>
---
 product_properties/10-audit-binaries.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/product_properties/10-audit-binaries.yml b/product_properties/10-audit-binaries.yml
index bf0762d2f54a..c0f332940794 100644
--- a/product_properties/10-audit-binaries.yml
+++ b/product_properties/10-audit-binaries.yml
@@ -11,10 +11,10 @@ default:
     - /sbin/audispd
     {{% endif %}}
     - /sbin/augenrules
-    {{% if 'rhel' in product or product == 'sle16' or product == "ubuntu2204" %}}
+    {{% if 'rhel' in product or product == 'sle16' or 'ubuntu' in product %}}
     - /sbin/audisp-syslog
     {{% endif %}}
-    {{% if product == "ubuntu2204" %}}
+    {{% if 'ubuntu' in product %}}
     - /sbin/audisp-remote
     - /sbin/audispd-zos-remote
     {{% endif %}}

From d44547f871d0463a9fc0aaae9e50e803b924374e Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 11 Mar 2026 10:01:25 +0000
Subject: [PATCH 259/265] Update test data

Signed-off-by: Alan Moore <alan.moore@canonical.com>
---
 tests/data/product_stability/ubuntu2404.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 26934d9dbdf0..5e0d3c334275 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -11,6 +11,9 @@ audit_binaries:
   - /sbin/autrace
   - /sbin/auditd
   - /sbin/augenrules
+  - /sbin/audisp-syslog
+  - /sbin/audisp-remote
+  - /sbin/audispd-zos-remote
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

From b12bb7a3b88a4d996ff419d280d214c43338149a Mon Sep 17 00:00:00 2001
From: Eric Berry <eric.berry@canonical.com>
Date: Wed, 11 Mar 2026 16:12:52 -0700
Subject: [PATCH 260/265] Implemented UBTU-24-300019/20/21

---
 controls/stig_ubuntu2404.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index 47c7e37b5d3c..0e41d778e3b2 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -582,6 +582,22 @@ controls:
           - accounts_passwords_pam_faildelay_delay
       status: automated
 
+    - id: UBTU-24-300019
+      title: Ubuntu 24.04 LTS must restrict privilege elevation to authorized personnel.
+      levels:
+          - medium
+      rules:
+          - sudo_restrict_privilege_elevation_to_authorized
+      status: automated
+
+    - id: UBTU-24-300020
+      title: Ubuntu 24.04 LTS must require users to provide a password for privilege escalation.
+      levels:
+          - medium
+      rules:
+          - sudo_remove_nopasswd
+      status: automated
+
     - id: UBTU-24-300021
       title: Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing
           roles.

From 9616884a5dc5194d3bd4eb5b04bc06a40a9bc26f Mon Sep 17 00:00:00 2001
From: cealcorn <cassidyealcorn@gmail.com>
Date: Tue, 3 Feb 2026 19:12:44 -0800
Subject: [PATCH 261/265] add bascontrol22d

---
 CMakeLists.txt                                |   5 +
 build_product                                 |   1 +
 products/bascontrol22d4/CMakeCache.txt        | 374 ++++++++
 .../CMakeFiles/3.26.3/CMakeCCompiler.cmake    |  72 ++
 .../3.26.3/CMakeDetermineCompilerABI_C.bin    | Bin 0 -> 80488 bytes
 .../CMakeFiles/3.26.3/CMakeSystem.cmake       |  15 +
 .../3.26.3/CompilerIdC/CMakeCCompilerId.c     | 866 ++++++++++++++++++
 .../CMakeFiles/3.26.3/CompilerIdC/a.out       | Bin 0 -> 80632 bytes
 .../CompilerIdCXX/CMakeCXXCompilerId.cpp      | 855 +++++++++++++++++
 .../CMakeFiles/CMakeConfigureLog.yaml         | 451 +++++++++
 .../CMakeFiles/cmake.check_cache              |   1 +
 products/bascontrol22d4/CMakeLists.txt        |   6 +
 products/bascontrol22d4/product.yml           |  17 +
 .../bascontrol22d4/profiles/standard.profile  |  10 +
 .../oval/installed_app_is_bascontrol22d4.xml  |  28 +
 ssg/constants.py                              |  13 +-
 16 files changed, 2708 insertions(+), 6 deletions(-)
 create mode 100644 products/bascontrol22d4/CMakeCache.txt
 create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
 create mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin
 create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake
 create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c
 create mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
 create mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
 create mode 100644 products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
 create mode 100644 products/bascontrol22d4/CMakeFiles/cmake.check_cache
 create mode 100644 products/bascontrol22d4/CMakeLists.txt
 create mode 100644 products/bascontrol22d4/product.yml
 create mode 100644 products/bascontrol22d4/profiles/standard.profile
 create mode 100644 shared/applicability/oval/installed_app_is_bascontrol22d4.xml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ab899deea925..36cd03e1804b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -89,6 +89,7 @@ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content w
 option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux OS 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_BASCONTROL22D4 "If enabled, the Contemporary Controls BAScontrol22D 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN13 "If enabled, the Debian 13 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -326,6 +327,7 @@ message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}")
 message(STATUS "AlmaLinux OS 9: ${SSG_PRODUCT_ALMALINUX9}")
 message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
 message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}")
+message(STATUS "Contemporary Controls BAScontrol22D 4: ${SSG_PRODUCT_BASCONTROL22D4}")
 message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
 message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
 message(STATUS "Debian 13: ${SSG_PRODUCT_DEBIAN13}")
@@ -397,6 +399,9 @@ endif()
 if(SSG_PRODUCT_ANOLIS23)
     add_subdirectory("products/anolis23" "anolis23")
 endif()
+if(SSG_PRODUCT_BASCONTROL22D4)
+    add_subdirectory("products/bascontrol22d4" "bascontrol22d4")
+endif()
 if(SSG_PRODUCT_DEBIAN11)
     add_subdirectory("products/debian11" "debian11")
 endif()
diff --git a/build_product b/build_product
index 76e3d3a69854..003e9a356d7f 100755
--- a/build_product
+++ b/build_product
@@ -333,6 +333,7 @@ all_cmake_products=(
 	ALMALINUX9
 	ANOLIS23
 	ANOLIS8
+        BASCONTROL22D4
 	DEBIAN11
 	DEBIAN12
 	DEBIAN13
diff --git a/products/bascontrol22d4/CMakeCache.txt b/products/bascontrol22d4/CMakeCache.txt
new file mode 100644
index 000000000000..ee9244e33dc8
--- /dev/null
+++ b/products/bascontrol22d4/CMakeCache.txt
@@ -0,0 +1,374 @@
+# This is the CMakeCache file.
+# For build in directory: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
+# It was generated by CMake: /usr/bin/cmake
+# You can edit this file to change values found and used by cmake.
+# If you do not want to change any of the values, simply exit the editor.
+# If you do want to change a value, simply edit, save, and exit the editor.
+# The syntax for the file is as follows:
+# KEY:TYPE=VALUE
+# KEY is the name of a variable in the cache.
+# TYPE is a hint to GUIs for the type of VALUE, DO NOT EDIT TYPE!.
+# VALUE is the current value for the KEY.
+
+########################
+# EXTERNAL cache entries
+########################
+
+//Path to a program.
+CMAKE_ADDR2LINE:FILEPATH=/usr/bin/addr2line
+
+//Path to a program.
+CMAKE_AR:FILEPATH=/usr/bin/ar
+
+//For backwards compatibility, what version of CMake commands and
+// syntax should this version of CMake try to support.
+CMAKE_BACKWARDS_COMPATIBILITY:STRING=2.4
+
+//Choose the type of build, options are: None Debug Release RelWithDebInfo
+// MinSizeRel ...
+CMAKE_BUILD_TYPE:STRING=
+
+//Enable/Disable color output during build.
+CMAKE_COLOR_MAKEFILE:BOOL=ON
+
+//CXX compiler
+CMAKE_CXX_COMPILER:FILEPATH=CMAKE_CXX_COMPILER-NOTFOUND
+
+//Flags used by the CXX compiler during all build types.
+CMAKE_CXX_FLAGS:STRING=
+
+//Flags used by the CXX compiler during DEBUG builds.
+CMAKE_CXX_FLAGS_DEBUG:STRING=
+
+//Flags used by the CXX compiler during MINSIZEREL builds.
+CMAKE_CXX_FLAGS_MINSIZEREL:STRING=
+
+//Flags used by the CXX compiler during RELEASE builds.
+CMAKE_CXX_FLAGS_RELEASE:STRING=
+
+//Flags used by the CXX compiler during RELWITHDEBINFO builds.
+CMAKE_CXX_FLAGS_RELWITHDEBINFO:STRING=
+
+//C compiler
+CMAKE_C_COMPILER:FILEPATH=/usr/bin/cc
+
+//A wrapper around 'ar' adding the appropriate '--plugin' option
+// for the GCC compiler
+CMAKE_C_COMPILER_AR:FILEPATH=/usr/bin/gcc-ar
+
+//A wrapper around 'ranlib' adding the appropriate '--plugin' option
+// for the GCC compiler
+CMAKE_C_COMPILER_RANLIB:FILEPATH=/usr/bin/gcc-ranlib
+
+//Flags used by the C compiler during all build types.
+CMAKE_C_FLAGS:STRING=
+
+//Flags used by the C compiler during DEBUG builds.
+CMAKE_C_FLAGS_DEBUG:STRING=-g
+
+//Flags used by the C compiler during MINSIZEREL builds.
+CMAKE_C_FLAGS_MINSIZEREL:STRING=-Os -DNDEBUG
+
+//Flags used by the C compiler during RELEASE builds.
+CMAKE_C_FLAGS_RELEASE:STRING=-O3 -DNDEBUG
+
+//Flags used by the C compiler during RELWITHDEBINFO builds.
+CMAKE_C_FLAGS_RELWITHDEBINFO:STRING=-O2 -g -DNDEBUG
+
+//Path to a program.
+CMAKE_DLLTOOL:FILEPATH=CMAKE_DLLTOOL-NOTFOUND
+
+//Flags used by the linker during all build types.
+CMAKE_EXE_LINKER_FLAGS:STRING=
+
+//Flags used by the linker during DEBUG builds.
+CMAKE_EXE_LINKER_FLAGS_DEBUG:STRING=
+
+//Flags used by the linker during MINSIZEREL builds.
+CMAKE_EXE_LINKER_FLAGS_MINSIZEREL:STRING=
+
+//Flags used by the linker during RELEASE builds.
+CMAKE_EXE_LINKER_FLAGS_RELEASE:STRING=
+
+//Flags used by the linker during RELWITHDEBINFO builds.
+CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO:STRING=
+
+//Enable/Disable output of compile commands during generation.
+CMAKE_EXPORT_COMPILE_COMMANDS:BOOL=
+
+//Value Computed by CMake.
+CMAKE_FIND_PACKAGE_REDIRECTS_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/pkgRedirects
+
+//Install path prefix, prepended onto install directories.
+CMAKE_INSTALL_PREFIX:PATH=/usr/local
+
+//Path to a program.
+CMAKE_LINKER:FILEPATH=/usr/bin/ld
+
+//Path to a program.
+CMAKE_MAKE_PROGRAM:FILEPATH=/usr/bin/gmake
+
+//Flags used by the linker during the creation of modules during
+// all build types.
+CMAKE_MODULE_LINKER_FLAGS:STRING=
+
+//Flags used by the linker during the creation of modules during
+// DEBUG builds.
+CMAKE_MODULE_LINKER_FLAGS_DEBUG:STRING=
+
+//Flags used by the linker during the creation of modules during
+// MINSIZEREL builds.
+CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL:STRING=
+
+//Flags used by the linker during the creation of modules during
+// RELEASE builds.
+CMAKE_MODULE_LINKER_FLAGS_RELEASE:STRING=
+
+//Flags used by the linker during the creation of modules during
+// RELWITHDEBINFO builds.
+CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO:STRING=
+
+//Path to a program.
+CMAKE_NM:FILEPATH=/usr/bin/nm
+
+//Path to a program.
+CMAKE_OBJCOPY:FILEPATH=/usr/bin/objcopy
+
+//Path to a program.
+CMAKE_OBJDUMP:FILEPATH=/usr/bin/objdump
+
+//Value Computed by CMake
+CMAKE_PROJECT_DESCRIPTION:STATIC=
+
+//Value Computed by CMake
+CMAKE_PROJECT_HOMEPAGE_URL:STATIC=
+
+//Value Computed by CMake
+CMAKE_PROJECT_NAME:STATIC=Project
+
+//Path to a program.
+CMAKE_RANLIB:FILEPATH=/usr/bin/ranlib
+
+//Path to a program.
+CMAKE_READELF:FILEPATH=/usr/bin/readelf
+
+//Flags used by the linker during the creation of shared libraries
+// during all build types.
+CMAKE_SHARED_LINKER_FLAGS:STRING=
+
+//Flags used by the linker during the creation of shared libraries
+// during DEBUG builds.
+CMAKE_SHARED_LINKER_FLAGS_DEBUG:STRING=
+
+//Flags used by the linker during the creation of shared libraries
+// during MINSIZEREL builds.
+CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL:STRING=
+
+//Flags used by the linker during the creation of shared libraries
+// during RELEASE builds.
+CMAKE_SHARED_LINKER_FLAGS_RELEASE:STRING=
+
+//Flags used by the linker during the creation of shared libraries
+// during RELWITHDEBINFO builds.
+CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO:STRING=
+
+//If set, runtime paths are not added when installing shared libraries,
+// but are added when building.
+CMAKE_SKIP_INSTALL_RPATH:BOOL=NO
+
+//If set, runtime paths are not added when using shared libraries.
+CMAKE_SKIP_RPATH:BOOL=NO
+
+//Flags used by the linker during the creation of static libraries
+// during all build types.
+CMAKE_STATIC_LINKER_FLAGS:STRING=
+
+//Flags used by the linker during the creation of static libraries
+// during DEBUG builds.
+CMAKE_STATIC_LINKER_FLAGS_DEBUG:STRING=
+
+//Flags used by the linker during the creation of static libraries
+// during MINSIZEREL builds.
+CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL:STRING=
+
+//Flags used by the linker during the creation of static libraries
+// during RELEASE builds.
+CMAKE_STATIC_LINKER_FLAGS_RELEASE:STRING=
+
+//Flags used by the linker during the creation of static libraries
+// during RELWITHDEBINFO builds.
+CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO:STRING=
+
+//Path to a program.
+CMAKE_STRIP:FILEPATH=/usr/bin/strip
+
+//If this value is on, makefiles will be generated without the
+// .SILENT directive, and all commands will be echoed to the console
+// during the make.  This is useful for debugging only. With Visual
+// Studio IDE projects all commands are done without /nologo.
+CMAKE_VERBOSE_MAKEFILE:BOOL=FALSE
+
+//Single output directory for building all executables.
+EXECUTABLE_OUTPUT_PATH:PATH=
+
+//Single output directory for building all libraries.
+LIBRARY_OUTPUT_PATH:PATH=
+
+//Value Computed by CMake
+Project_BINARY_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
+
+//Value Computed by CMake
+Project_IS_TOP_LEVEL:STATIC=ON
+
+//Value Computed by CMake
+Project_SOURCE_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
+
+
+########################
+# INTERNAL cache entries
+########################
+
+//ADVANCED property for variable: CMAKE_ADDR2LINE
+CMAKE_ADDR2LINE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_AR
+CMAKE_AR-ADVANCED:INTERNAL=1
+//This is the directory where this CMakeCache.txt was created
+CMAKE_CACHEFILE_DIR:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
+//Major version of cmake used to create the current loaded cache
+CMAKE_CACHE_MAJOR_VERSION:INTERNAL=3
+//Minor version of cmake used to create the current loaded cache
+CMAKE_CACHE_MINOR_VERSION:INTERNAL=26
+//Patch version of cmake used to create the current loaded cache
+CMAKE_CACHE_PATCH_VERSION:INTERNAL=3
+//ADVANCED property for variable: CMAKE_COLOR_MAKEFILE
+CMAKE_COLOR_MAKEFILE-ADVANCED:INTERNAL=1
+//Path to CMake executable.
+CMAKE_COMMAND:INTERNAL=/usr/bin/cmake
+//Path to cpack program executable.
+CMAKE_CPACK_COMMAND:INTERNAL=/usr/bin/cpack
+//Path to ctest program executable.
+CMAKE_CTEST_COMMAND:INTERNAL=/usr/bin/ctest
+//ADVANCED property for variable: CMAKE_CXX_COMPILER
+CMAKE_CXX_COMPILER-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_CXX_FLAGS
+CMAKE_CXX_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_CXX_FLAGS_DEBUG
+CMAKE_CXX_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_CXX_FLAGS_MINSIZEREL
+CMAKE_CXX_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELEASE
+CMAKE_CXX_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELWITHDEBINFO
+CMAKE_CXX_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_COMPILER
+CMAKE_C_COMPILER-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_COMPILER_AR
+CMAKE_C_COMPILER_AR-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_COMPILER_RANLIB
+CMAKE_C_COMPILER_RANLIB-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_FLAGS
+CMAKE_C_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_FLAGS_DEBUG
+CMAKE_C_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_FLAGS_MINSIZEREL
+CMAKE_C_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_FLAGS_RELEASE
+CMAKE_C_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_C_FLAGS_RELWITHDEBINFO
+CMAKE_C_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_DLLTOOL
+CMAKE_DLLTOOL-ADVANCED:INTERNAL=1
+//Path to cache edit program executable.
+CMAKE_EDIT_COMMAND:INTERNAL=/usr/bin/ccmake
+//Executable file format
+CMAKE_EXECUTABLE_FORMAT:INTERNAL=ELF
+//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS
+CMAKE_EXE_LINKER_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_DEBUG
+CMAKE_EXE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_MINSIZEREL
+CMAKE_EXE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELEASE
+CMAKE_EXE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
+CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_EXPORT_COMPILE_COMMANDS
+CMAKE_EXPORT_COMPILE_COMMANDS-ADVANCED:INTERNAL=1
+//Name of external makefile project generator.
+CMAKE_EXTRA_GENERATOR:INTERNAL=
+//Name of generator.
+CMAKE_GENERATOR:INTERNAL=Unix Makefiles
+//Generator instance identifier.
+CMAKE_GENERATOR_INSTANCE:INTERNAL=
+//Name of generator platform.
+CMAKE_GENERATOR_PLATFORM:INTERNAL=
+//Name of generator toolset.
+CMAKE_GENERATOR_TOOLSET:INTERNAL=
+//Source directory with the top level CMakeLists.txt file for this
+// project
+CMAKE_HOME_DIRECTORY:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
+//Install .so files without execute permission.
+CMAKE_INSTALL_SO_NO_EXE:INTERNAL=0
+//ADVANCED property for variable: CMAKE_LINKER
+CMAKE_LINKER-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MAKE_PROGRAM
+CMAKE_MAKE_PROGRAM-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS
+CMAKE_MODULE_LINKER_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_DEBUG
+CMAKE_MODULE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL
+CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELEASE
+CMAKE_MODULE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO
+CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_NM
+CMAKE_NM-ADVANCED:INTERNAL=1
+//number of local generators
+CMAKE_NUMBER_OF_MAKEFILES:INTERNAL=1
+//ADVANCED property for variable: CMAKE_OBJCOPY
+CMAKE_OBJCOPY-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_OBJDUMP
+CMAKE_OBJDUMP-ADVANCED:INTERNAL=1
+//Platform information initialized
+CMAKE_PLATFORM_INFO_INITIALIZED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_RANLIB
+CMAKE_RANLIB-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_READELF
+CMAKE_READELF-ADVANCED:INTERNAL=1
+//Path to CMake installation.
+CMAKE_ROOT:INTERNAL=/usr/share/cmake
+//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS
+CMAKE_SHARED_LINKER_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_DEBUG
+CMAKE_SHARED_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL
+CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELEASE
+CMAKE_SHARED_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SKIP_INSTALL_RPATH
+CMAKE_SKIP_INSTALL_RPATH-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_SKIP_RPATH
+CMAKE_SKIP_RPATH-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS
+CMAKE_STATIC_LINKER_FLAGS-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_DEBUG
+CMAKE_STATIC_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL
+CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELEASE
+CMAKE_STATIC_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO
+CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
+//ADVANCED property for variable: CMAKE_STRIP
+CMAKE_STRIP-ADVANCED:INTERNAL=1
+//uname command
+CMAKE_UNAME:INTERNAL=/usr/bin/uname
+//ADVANCED property for variable: CMAKE_VERBOSE_MAKEFILE
+CMAKE_VERBOSE_MAKEFILE-ADVANCED:INTERNAL=1
+//linker supports push/pop state
+_CMAKE_LINKER_PUSHPOP_STATE_SUPPORTED:INTERNAL=TRUE
+
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
new file mode 100644
index 000000000000..9db2d954e33a
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
@@ -0,0 +1,72 @@
+set(CMAKE_C_COMPILER "/usr/bin/cc")
+set(CMAKE_C_COMPILER_ARG1 "")
+set(CMAKE_C_COMPILER_ID "GNU")
+set(CMAKE_C_COMPILER_VERSION "12.1.1")
+set(CMAKE_C_COMPILER_VERSION_INTERNAL "")
+set(CMAKE_C_COMPILER_WRAPPER "")
+set(CMAKE_C_STANDARD_COMPUTED_DEFAULT "17")
+set(CMAKE_C_EXTENSIONS_COMPUTED_DEFAULT "ON")
+set(CMAKE_C_COMPILE_FEATURES "c_std_90;c_function_prototypes;c_std_99;c_restrict;c_variadic_macros;c_std_11;c_static_assert;c_std_17;c_std_23")
+set(CMAKE_C90_COMPILE_FEATURES "c_std_90;c_function_prototypes")
+set(CMAKE_C99_COMPILE_FEATURES "c_std_99;c_restrict;c_variadic_macros")
+set(CMAKE_C11_COMPILE_FEATURES "c_std_11;c_static_assert")
+set(CMAKE_C17_COMPILE_FEATURES "c_std_17")
+set(CMAKE_C23_COMPILE_FEATURES "c_std_23")
+
+set(CMAKE_C_PLATFORM_ID "Linux")
+set(CMAKE_C_SIMULATE_ID "")
+set(CMAKE_C_COMPILER_FRONTEND_VARIANT "GNU")
+set(CMAKE_C_SIMULATE_VERSION "")
+
+
+
+
+set(CMAKE_AR "/usr/bin/ar")
+set(CMAKE_C_COMPILER_AR "/usr/bin/gcc-ar")
+set(CMAKE_RANLIB "/usr/bin/ranlib")
+set(CMAKE_C_COMPILER_RANLIB "/usr/bin/gcc-ranlib")
+set(CMAKE_LINKER "/usr/bin/ld")
+set(CMAKE_MT "")
+set(CMAKE_COMPILER_IS_GNUCC 1)
+set(CMAKE_C_COMPILER_LOADED 1)
+set(CMAKE_C_COMPILER_WORKS TRUE)
+set(CMAKE_C_ABI_COMPILED TRUE)
+
+set(CMAKE_C_COMPILER_ENV_VAR "CC")
+
+set(CMAKE_C_COMPILER_ID_RUN 1)
+set(CMAKE_C_SOURCE_FILE_EXTENSIONS c;m)
+set(CMAKE_C_IGNORE_EXTENSIONS h;H;o;O;obj;OBJ;def;DEF;rc;RC)
+set(CMAKE_C_LINKER_PREFERENCE 10)
+
+# Save compiler ABI information.
+set(CMAKE_C_SIZEOF_DATA_PTR "8")
+set(CMAKE_C_COMPILER_ABI "ELF")
+set(CMAKE_C_BYTE_ORDER "LITTLE_ENDIAN")
+set(CMAKE_C_LIBRARY_ARCHITECTURE "")
+
+if(CMAKE_C_SIZEOF_DATA_PTR)
+  set(CMAKE_SIZEOF_VOID_P "${CMAKE_C_SIZEOF_DATA_PTR}")
+endif()
+
+if(CMAKE_C_COMPILER_ABI)
+  set(CMAKE_INTERNAL_PLATFORM_ABI "${CMAKE_C_COMPILER_ABI}")
+endif()
+
+if(CMAKE_C_LIBRARY_ARCHITECTURE)
+  set(CMAKE_LIBRARY_ARCHITECTURE "")
+endif()
+
+set(CMAKE_C_CL_SHOWINCLUDES_PREFIX "")
+if(CMAKE_C_CL_SHOWINCLUDES_PREFIX)
+  set(CMAKE_CL_SHOWINCLUDES_PREFIX "${CMAKE_C_CL_SHOWINCLUDES_PREFIX}")
+endif()
+
+
+
+
+
+set(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include")
+set(CMAKE_C_IMPLICIT_LINK_LIBRARIES "gcc;gcc_s;c;gcc;gcc_s")
+set(CMAKE_C_IMPLICIT_LINK_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib")
+set(CMAKE_C_IMPLICIT_LINK_FRAMEWORK_DIRECTORIES "")
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin
new file mode 100755
index 0000000000000000000000000000000000000000..df1625832f344f4ea52f49e2bf1d3d149e4684b9
GIT binary patch
literal 80488
zcmeI3eQX@Zb->@<k)pmu%CbaDvUG~rAd##KDJeFi8t@*!iBO~~UuqdnvfAS<$%~G6
z%-zx^?KEZ)|KWTUWMf2zp%gBfrb*zoMxeBE5+q7m6ao?;j8hwe)3lTwI}DmOOp_F3
z5t@B(cHVJ!Z<la^7N~(Y#PZF&dGF24Z)U&u9_t?HiN|8VDGq-Ns?=a8mHQuH@#MOV
z0qw8_3^)Y0!zQ$<!;S3>onyJI-B@l$TS^Js$ge$4C6We-syv`d04%w6lJ&aI6^1Uk
zGPBh!vIKWD>Ob{$an-F~TurMC%hT0<xb^HuYVupwe#_dA<-G0~OCBGMjkb)An~57(
zqOw5(y43%5Nw$>kea*>HzHf^vqBK;7Wt89Vp&#}0&89|ecuuz$#id#IpC!-3y9)X2
zy9&7zg?w>x>V##LhsW+bovM^lZSJ`DV0@b6-of`l?CpD(zjkWt9V1U)`N72H`@iy&
zueOcQ7^x2wk8CKBeS^xmc^VHjPrA9r83U4ceqwW7U3zo9VNe}SwHn7?pI+?fe(~oY
z+S2*b*I)hPk8D44Y1=nnzW>0p?|t>!$?T8*?Z$`CAH4Y3(;s;#bN7>1o9nMW@QX{+
z=o*@+Kf6O}j-oCZqW@@w{ub1S#rbN4{RrwCp&8rgz}$NJAZ8n39~=zmKdkl50sUpA
zuZ>edeG=mY?d=HrPousGcES8+19R@2l6)Aq-LL~E#h@bGt^Nai2_^ME*w3A)C;Mg{
zhx$k99^At0&!V2%UC{Qok};+~#Vw2vm?o~oVYA{`Wyc)1@<p(+rLqI0rS*6xnEjcv
zX3j3#qxp(smosNO3#Fo+v9bjly|a~yb~Yhj94VQV{3CX0#LP`NWiaiW<yhLvF6K-V
z^Q3ZJurNAaDpvi?{vpig@<ns9V&~Aii2vxn@~gJw_9(PJy#xIno#x3@+g-rfQ>SVC
zaokg4xQEdHs6Vocq2+BTdH=pN_gUOk67YSkyQ0c*c$thb&99}EjNuNccXd_1;nCB6
z$!Wo(_aBGdbsNVxF*ZiIS+7shd*d{E^mHuXbkEVmi>r@*>r1N%m^%*e<m#i}{^GY#
zcP(MQL^exUw}hhUjoy{USMHfh#t*-AIGK2nx5gOEHpPvV#yF@tRo;Z<w|UB2vE1R7
z&6dQAx5LZ}hj4o>0bjnEFjihU3UjYx``Fwp%paUfU|k(<KU-V7w1gY^v;*v+HYrbi
zTfjcS&wE!4fGe-At?eTn)gz2qn1MMw#m*i<iR=Dfui<InCfXla>|L?Yekl?AGT=DW
z7z6f40KWUS-#+%k^!7je<dNT|Kl5$0e+7LzmU>sR$~Rv1rS@EY-&Fj5wGCEo!FU(S
z#(QP}-u+|jdlF{OT`0qQeznb5S$*_7RkqBJ#`7=O|Fw_74;FU8^EVT)vUV7r2V@bO
zIXbtnYv%dn*oAh~A6qzVpgy*3LD$2=(Yc#g4^!4uX#Itj4eMhIEs^o5E$q`AG4igF
z;QFBT?@j%KJws<ayYz#t?H{1}!TzD1>=|d;w96$s_h7ld!|WaG?(Z5*gQ{14*=ff%
zOJzKEJUGyw$qaOx-Gg2I=|Qwm^;S0jAYMO_L+n7}ce_y1x$5fb+S>b3E~A`4+5E=Z
z+7l@IP}1@536#&FypHk)%6XKyrd4XxGWN(hsGB+zJFxw*+LxPApTT(Qc$;oGMCaE#
zaGOCLUvrQv`BOihKz%DIFp=&&Zl7m=%(viHz-=CNxRwFZC(=8UpR4<mM8{|1egFL9
zAMQjAs;QkPaa#<uL;7cNyMcOjOh<2<4)&6SfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@LO=)z0U;m+gn$qb0zyCt2mv7=
z1m2Pa8aErN-}4QwjOkI_rsZ}mXE(X^J9PPq_G7!n)wHTPpzAklxnIjAU4Jl8|C=|~
zN~C%!ZjgX_^&j9`ouP7@ba^@MmbdEiYg%s8vRTVpwPcadnZ-4?e{o&z({hiN4O;Hw
zdOcp&gD&&9*nf+*=l0)NbH_7ZZ>X9zU1qLJy8H!QuigL8#Iol8KW*SSJ>H<CIK7>n
zXOi#e9em$AlWiwcZK<~8$<~u6Ti@M!SMnX_>|C<Xa&*Osws)dEF>548gwUIAiJh|A
z0Q7phTgxz;K3(_z4QzN_KI566U|YOaujw@#*472xM)L+X9EW9C9Ij&-X2X4bc7r~1
zU%#jOL+ji(u8FqRyY57#?l;RMs#J1W*Ow=Y#e8uzIXXNXoGeIcQ#~*BR<T&h=8K`W
zyq~k}L}79iO^epJeI}_LDID*QuHCWTq5Gjwk2@Xj$66n!{c@MD{o@tK8op=_7p%${
zz%9PIW5XlnM7iYH!%n_bq!@f0((!tR&Sm<09)LA++w1c^-aF9W(Ru#7nZED7ZnPR2
zybtRG{b`{7)cgF7(9{KEmB#aqIa0<^n-isc(Xq>D6X?q(+~-vy|J&&wC3iluWve(m
z<{8VGoIPSq7928>IhHw={aE&6IabTD8n2V&d`u@rO6uGx=VQ6%l4~w~y(`z%?vX*R
ztJSel?w#b`N$#EG-bwDA<laf{o#fu>|L?O*e%{YA>A#MX=hf-A{_|>{Tb44%HSZDL
z^6w-J{oaY+(a9XYb?2Dgm(jb$n0qf7`i?6&-~7(Y^*I*${!PaVUF+CfWJ=&ej`p}w
zQ=fo1WJ2``m<rX`Rlh6n21`IaEQi`}s(yFiw{L*3_w@;Uv(4}M{r31(fPS~@*KdWs
zQ2jRG_t<{>?ZEHf{d%O&?|nTL3D^nz-r1vu1iopV*YA=2`bOy6Vt7?5pMWNq4b|@k
z{?5bel)$&O{C$UCzX!s;KS;o>a9w|o;kVxl{GEnhzYm(B!>dyH1Zoe4>Z@<7eLe};
z56OT%E_tYfU#j=UUSsw0m)`6KIMZ_mdgFUKpm)C;X@buOxT)`7;yZxPh1`Z~zaREA
z`^S|cgAn^3tq=Bx<K$xgI3J9#e<VWBaT*)^aV|yJUyaanoNsLR$N9$y`(H=sInLN_
zf1DjOVaO+(L+x?k7~02h58&fNlG?*`TE~f+m*w01?RG`jpWm=Q`=Kx4k5h=Se>_6Z
z9DcpoALnxs_Fs$8bDU>(`s2J1VgK(DdX6)&#~&vVN2rnWQhWS4sO^o={b)b@(*b|{
z)7qY|H`FBJzk4@qcR$=w?~hZ6u>Vwqp2vG*t3S?PM%cd)q31Y{H~QoJM}+-e`XD8e
z=YDA2>yL9P!ak$*LC%kAeUK*~_k#9r|C``y;Q00o#@Xoj8I1oIXdlPpC+qj<iFDho
zJrBD2+Vk3#4cpxY{EZc_6OO~*Rk8l-8^+lI7Xs_^A9VkN`s-Rh8?bk|?SdPD^Y4$e
zJ%4w}{rM&8W1jOG?S_=xIJM{5Rb^kRZ>e)R^Y@)@6pmAS9&bha7}V-{-sc1J?&@pL
zze5-&Y&|fCg#d?P)$T4>*7`%bqaW4!X5DU5>o044yVmd2dS18u{hn59ZcWg>)nJv9
zf4*Tqo8aDn{a>keYxNW?Y`ot<`*_Ip*mrdQgX`h@%6<p%e&>z{;HS#I_Bv__^>o!9
zynaj6(>(5j;C0R}rLVp2`W@8A@yoN|^{3l@?e*tzwBJol2T~vElK~wSpHlkT>$e>0
z8$IisUCXF%!s}IDC;UC{C$)WWTpv^VeKpsCpNO#kthNtcPyQL|liUf9{0i#B#`|}u
zr+)HvwVDp}doLc(X<Wg6URH6|uUqccZM=Z`F#DIaK6rggec6r2PhRJjb)47HKB@CQ
zF<f@qQYC1a0@HlBY)zQsR=x-=IY{ZRHccy=H;edfWokG~XWGS3+tgUeiL#HXOHCFF
z`HOa8I?{0?gA{%sT6QKUBAqv=PuWxX=<cdYQ-N@-(e?QGV&3smam#)puFgN=b-OTq
z2nCNrEdkv^&FDN%5p{u4dmQ{Y(A~)on`OID8upIYulJAJU*{jEzmEJist@525}=lg
z->7zV`0G_KP~~4iewzR<f29iG=Vs;#E;P%rO>I4qx81I+FQX_k+Ou%?%;WAkY!wRT
z!?tzN94V5nNV>9<wecfs%;xMe<|_EPvFVKCC(@;&UBUf1S29NnrL0vjb55yTF|Eld
z7%q)Z6l}-NrCP%+%n@7%rd2Lm(>NrjJPq#m%(=<&@o9ANluTMNKGV*#)<wIs6Whoa
z>~gxJAD2tMI8rjR(}<u{#*UiV{3x-?Tg95HLf&x-wyzeCJ~UEVBPDFT=Un=1x7j_|
zWtyORN`t7B%rUE&E7%Z$63ng#2GeKzJJA|{mtc1H=|Fv5=TMb7+sPq&2ZlP*1Ljaq
z&wbq)Gn4KZ=*EU<oM>0bXNPGX%Z@rq8tTcFc`|kCG?@LFv*!9VU__dPjFqKMnb}H3
z`<d>TEBQz4(ukRxaLQoXIm@xM6^@feW|GQv!NTZxsaW;5vZb<9ZMy9)Y<dVQbNQk<
zS+R3y&M~U3y1nBi;_DlvD%0bRl||{4T{*@%_5C^?PSwGGv^bf{PUZ`_6L~z|D-}-f
z33WWAx-t4JKb4y<Vmw#k&{9<MkX^3OSNYz8iFJ55vB*K^Ch#NolmeY{>?zFCI>fq?
zqLZ@6^vWB{p)Z$Q4|fT=9-PO()_5LIS)+6w!hb2%fEx_SKnnMSaa`bTztqrDmgAK3
z*+~cYp8uspzjun^Mz?X4+T#WZlu7{q9?C7bwwxz<6gT>f5&QG=&5TyGkdY_xbq1@{
zPe8E1{`{O{N-L6VsAbT<3-$krze!^Mr{adPd`c@WsM7lTM7}Q7Y8b@KHr&{MIc{JH
z@cF6|aGl^_qTgFkmi?PaiRt%o!&{iDKmYFQn(pXpWaLRYTvbEQx$wsp)&BEy+ArYs
z5T&=f0(7z34)^yW*3)mcxXjOU=e0wt_7C=7tAU=UQCHa?HW_XeIbiB@MYa9l_#el5
z^6$`g{Cv1C#Gjti2mSvDb;LxQSFht|wSs?dr^BnZI8XB9xOx5gdGmAH|6Z>#=GAYI
zJh~?X{?K5!wfcv1R{|5JYh4@s|1@si_WAks6+KX1C+tA1yy+P%kU#V1>+yN*|B%-h
z^UROcU&M^ppYNyo^bh;G*ig%0`+pPg=jZ0L+W+qZ{=xRIVLjc$(mp_mpRX^jy5*of
zmsx%f&FFVj?9b2Pm)@lR4fLg{W`BNOzpVY|_5AVr;&yo*+(ch8VSj$Ee_cOOPhy=n
zu|Lb#vC`|$&;J*-Kkt7WgZ)_kBH+*Wb<HZOyKk{CNj;pZ>Nl99SloZU-#Yjv{r^kH
z4EB@#Q`MH-47blRff?FWX0#pOHxB6b_vi;Ac;~26aQ#snUi;cai3^9^7RIzA9S8mZ
pH|ECs6)jU9yK>b3t{>Mu<cZgMt*x3iVJ_6a&9%HO;1DRne*-+aus;9*

literal 0
HcmV?d00001

diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake
new file mode 100644
index 000000000000..1e0f5066e32b
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake
@@ -0,0 +1,15 @@
+set(CMAKE_HOST_SYSTEM "Linux-5.18.13-200.fc36.aarch64")
+set(CMAKE_HOST_SYSTEM_NAME "Linux")
+set(CMAKE_HOST_SYSTEM_VERSION "5.18.13-200.fc36.aarch64")
+set(CMAKE_HOST_SYSTEM_PROCESSOR "aarch64")
+
+
+
+set(CMAKE_SYSTEM "Linux-5.18.13-200.fc36.aarch64")
+set(CMAKE_SYSTEM_NAME "Linux")
+set(CMAKE_SYSTEM_VERSION "5.18.13-200.fc36.aarch64")
+set(CMAKE_SYSTEM_PROCESSOR "aarch64")
+
+set(CMAKE_CROSSCOMPILING "FALSE")
+
+set(CMAKE_SYSTEM_LOADED 1)
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c
new file mode 100644
index 000000000000..88155ff20cb6
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c
@@ -0,0 +1,866 @@
+#ifdef __cplusplus
+# error "A C++ compiler has been selected for C."
+#endif
+
+#if defined(__18CXX)
+# define ID_VOID_MAIN
+#endif
+#if defined(__CLASSIC_C__)
+/* cv-qualifiers did not exist in K&R C */
+# define const
+# define volatile
+#endif
+
+#if !defined(__has_include)
+/* If the compiler does not have __has_include, pretend the answer is
+   always no.  */
+#  define __has_include(x) 0
+#endif
+
+
+/* Version number components: V=Version, R=Revision, P=Patch
+   Version date components:   YYYY=Year, MM=Month,   DD=Day  */
+
+#if defined(__INTEL_COMPILER) || defined(__ICC)
+# define COMPILER_ID "Intel"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# if defined(__GNUC__)
+#  define SIMULATE_ID "GNU"
+# endif
+  /* __INTEL_COMPILER = VRP prior to 2021, and then VVVV for 2021 and later,
+     except that a few beta releases use the old format with V=2021.  */
+# if __INTEL_COMPILER < 2021 || __INTEL_COMPILER == 202110 || __INTEL_COMPILER == 202111
+#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER/100)
+#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER/10 % 10)
+#  if defined(__INTEL_COMPILER_UPDATE)
+#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER_UPDATE)
+#  else
+#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER   % 10)
+#  endif
+# else
+#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER)
+#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER_UPDATE)
+   /* The third version component from --version is an update index,
+      but no macro is provided for it.  */
+#  define COMPILER_VERSION_PATCH DEC(0)
+# endif
+# if defined(__INTEL_COMPILER_BUILD_DATE)
+   /* __INTEL_COMPILER_BUILD_DATE = YYYYMMDD */
+#  define COMPILER_VERSION_TWEAK DEC(__INTEL_COMPILER_BUILD_DATE)
+# endif
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+# if defined(__GNUC__)
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+# elif defined(__GNUG__)
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
+# endif
+# if defined(__GNUC_MINOR__)
+#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+# endif
+# if defined(__GNUC_PATCHLEVEL__)
+#  define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+# endif
+
+#elif (defined(__clang__) && defined(__INTEL_CLANG_COMPILER)) || defined(__INTEL_LLVM_COMPILER)
+# define COMPILER_ID "IntelLLVM"
+#if defined(_MSC_VER)
+# define SIMULATE_ID "MSVC"
+#endif
+#if defined(__GNUC__)
+# define SIMULATE_ID "GNU"
+#endif
+/* __INTEL_LLVM_COMPILER = VVVVRP prior to 2021.2.0, VVVVRRPP for 2021.2.0 and
+ * later.  Look for 6 digit vs. 8 digit version number to decide encoding.
+ * VVVV is no smaller than the current year when a version is released.
+ */
+#if __INTEL_LLVM_COMPILER < 1000000L
+# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/100)
+# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER    % 10)
+#else
+# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/10000)
+# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/100 % 100)
+# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER     % 100)
+#endif
+#if defined(_MSC_VER)
+  /* _MSC_VER = VVRR */
+# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+#endif
+#if defined(__GNUC__)
+# define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+#elif defined(__GNUG__)
+# define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
+#endif
+#if defined(__GNUC_MINOR__)
+# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+#endif
+#if defined(__GNUC_PATCHLEVEL__)
+# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+#endif
+
+#elif defined(__PATHCC__)
+# define COMPILER_ID "PathScale"
+# define COMPILER_VERSION_MAJOR DEC(__PATHCC__)
+# define COMPILER_VERSION_MINOR DEC(__PATHCC_MINOR__)
+# if defined(__PATHCC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__PATHCC_PATCHLEVEL__)
+# endif
+
+#elif defined(__BORLANDC__) && defined(__CODEGEARC_VERSION__)
+# define COMPILER_ID "Embarcadero"
+# define COMPILER_VERSION_MAJOR HEX(__CODEGEARC_VERSION__>>24 & 0x00FF)
+# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF)
+# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__     & 0xFFFF)
+
+#elif defined(__BORLANDC__)
+# define COMPILER_ID "Borland"
+  /* __BORLANDC__ = 0xVRR */
+# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8)
+# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF)
+
+#elif defined(__WATCOMC__) && __WATCOMC__ < 1200
+# define COMPILER_ID "Watcom"
+   /* __WATCOMC__ = VVRR */
+# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100)
+# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
+# if (__WATCOMC__ % 10) > 0
+#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
+# endif
+
+#elif defined(__WATCOMC__)
+# define COMPILER_ID "OpenWatcom"
+   /* __WATCOMC__ = VVRP + 1100 */
+# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100)
+# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
+# if (__WATCOMC__ % 10) > 0
+#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
+# endif
+
+#elif defined(__SUNPRO_C)
+# define COMPILER_ID "SunPro"
+# if __SUNPRO_C >= 0x5100
+   /* __SUNPRO_C = 0xVRRP */
+#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>12)
+#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xFF)
+#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_C    & 0xF)
+# else
+   /* __SUNPRO_CC = 0xVRP */
+#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>8)
+#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xF)
+#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_C    & 0xF)
+# endif
+
+#elif defined(__HP_cc)
+# define COMPILER_ID "HP"
+  /* __HP_cc = VVRRPP */
+# define COMPILER_VERSION_MAJOR DEC(__HP_cc/10000)
+# define COMPILER_VERSION_MINOR DEC(__HP_cc/100 % 100)
+# define COMPILER_VERSION_PATCH DEC(__HP_cc     % 100)
+
+#elif defined(__DECC)
+# define COMPILER_ID "Compaq"
+  /* __DECC_VER = VVRRTPPPP */
+# define COMPILER_VERSION_MAJOR DEC(__DECC_VER/10000000)
+# define COMPILER_VERSION_MINOR DEC(__DECC_VER/100000  % 100)
+# define COMPILER_VERSION_PATCH DEC(__DECC_VER         % 10000)
+
+#elif defined(__IBMC__) && defined(__COMPILER_VER__)
+# define COMPILER_ID "zOS"
+  /* __IBMC__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
+
+#elif defined(__open_xl__) && defined(__clang__)
+# define COMPILER_ID "IBMClang"
+# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__)
+# define COMPILER_VERSION_MINOR DEC(__open_xl_release__)
+# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__)
+# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__)
+
+
+#elif defined(__ibmxl__) && defined(__clang__)
+# define COMPILER_ID "XLClang"
+# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__)
+# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__)
+# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__)
+# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__)
+
+
+#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ >= 800
+# define COMPILER_ID "XL"
+  /* __IBMC__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
+
+#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ < 800
+# define COMPILER_ID "VisualAge"
+  /* __IBMC__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
+
+#elif defined(__NVCOMPILER)
+# define COMPILER_ID "NVHPC"
+# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__)
+# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__)
+# if defined(__NVCOMPILER_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__)
+# endif
+
+#elif defined(__PGI)
+# define COMPILER_ID "PGI"
+# define COMPILER_VERSION_MAJOR DEC(__PGIC__)
+# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__)
+# if defined(__PGIC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__)
+# endif
+
+#elif defined(_CRAYC)
+# define COMPILER_ID "Cray"
+# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR)
+# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR)
+
+#elif defined(__TI_COMPILER_VERSION__)
+# define COMPILER_ID "TI"
+  /* __TI_COMPILER_VERSION__ = VVVRRRPPP */
+# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000)
+# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000   % 1000)
+# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__        % 1000)
+
+#elif defined(__CLANG_FUJITSU)
+# define COMPILER_ID "FujitsuClang"
+# define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
+# define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
+# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
+# define COMPILER_VERSION_INTERNAL_STR __clang_version__
+
+
+#elif defined(__FUJITSU)
+# define COMPILER_ID "Fujitsu"
+# if defined(__FCC_version__)
+#   define COMPILER_VERSION __FCC_version__
+# elif defined(__FCC_major__)
+#   define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
+#   define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
+#   define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
+# endif
+# if defined(__fcc_version)
+#   define COMPILER_VERSION_INTERNAL DEC(__fcc_version)
+# elif defined(__FCC_VERSION)
+#   define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION)
+# endif
+
+
+#elif defined(__ghs__)
+# define COMPILER_ID "GHS"
+/* __GHS_VERSION_NUMBER = VVVVRP */
+# ifdef __GHS_VERSION_NUMBER
+# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100)
+# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER      % 10)
+# endif
+
+#elif defined(__TASKING__)
+# define COMPILER_ID "Tasking"
+  # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000)
+  # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100)
+# define COMPILER_VERSION_INTERNAL DEC(__VERSION__)
+
+#elif defined(__TINYC__)
+# define COMPILER_ID "TinyCC"
+
+#elif defined(__BCC__)
+# define COMPILER_ID "Bruce"
+
+#elif defined(__SCO_VERSION__)
+# define COMPILER_ID "SCO"
+
+#elif defined(__ARMCC_VERSION) && !defined(__clang__)
+# define COMPILER_ID "ARMCC"
+#if __ARMCC_VERSION >= 1000000
+  /* __ARMCC_VERSION = VRRPPPP */
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION     % 10000)
+#else
+  /* __ARMCC_VERSION = VRPPPP */
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION    % 10000)
+#endif
+
+
+#elif defined(__clang__) && defined(__apple_build_version__)
+# define COMPILER_ID "AppleClang"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
+# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
+# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__)
+
+#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION)
+# define COMPILER_ID "ARMClang"
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION     % 10000)
+# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION)
+
+#elif defined(__clang__)
+# define COMPILER_ID "Clang"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
+# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
+# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+
+#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__))
+# define COMPILER_ID "LCC"
+# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100)
+# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100)
+# if defined(__LCC_MINOR__)
+#  define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__)
+# endif
+# if defined(__GNUC__) && defined(__GNUC_MINOR__)
+#  define SIMULATE_ID "GNU"
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+#  if defined(__GNUC_PATCHLEVEL__)
+#   define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+#  endif
+# endif
+
+#elif defined(__GNUC__)
+# define COMPILER_ID "GNU"
+# define COMPILER_VERSION_MAJOR DEC(__GNUC__)
+# if defined(__GNUC_MINOR__)
+#  define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__)
+# endif
+# if defined(__GNUC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+# endif
+
+#elif defined(_MSC_VER)
+# define COMPILER_ID "MSVC"
+  /* _MSC_VER = VVRR */
+# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100)
+# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100)
+# if defined(_MSC_FULL_VER)
+#  if _MSC_VER >= 1400
+    /* _MSC_FULL_VER = VVRRPPPPP */
+#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000)
+#  else
+    /* _MSC_FULL_VER = VVRRPPPP */
+#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000)
+#  endif
+# endif
+# if defined(_MSC_BUILD)
+#  define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD)
+# endif
+
+#elif defined(_ADI_COMPILER)
+# define COMPILER_ID "ADSP"
+#if defined(__VERSIONNUM__)
+  /* __VERSIONNUM__ = 0xVVRRPPTT */
+#  define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF)
+#  define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF)
+#  define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF)
+#  define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF)
+#endif
+
+#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
+# define COMPILER_ID "IAR"
+# if defined(__VER__) && defined(__ICCARM__)
+#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000)
+#  define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000)
+#  define COMPILER_VERSION_PATCH DEC((__VER__) % 1000)
+#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
+# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__))
+#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 100)
+#  define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100))
+#  define COMPILER_VERSION_PATCH DEC(__SUBVERSION__)
+#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
+# endif
+
+#elif defined(__SDCC_VERSION_MAJOR) || defined(SDCC)
+# define COMPILER_ID "SDCC"
+# if defined(__SDCC_VERSION_MAJOR)
+#  define COMPILER_VERSION_MAJOR DEC(__SDCC_VERSION_MAJOR)
+#  define COMPILER_VERSION_MINOR DEC(__SDCC_VERSION_MINOR)
+#  define COMPILER_VERSION_PATCH DEC(__SDCC_VERSION_PATCH)
+# else
+  /* SDCC = VRP */
+#  define COMPILER_VERSION_MAJOR DEC(SDCC/100)
+#  define COMPILER_VERSION_MINOR DEC(SDCC/10 % 10)
+#  define COMPILER_VERSION_PATCH DEC(SDCC    % 10)
+# endif
+
+
+/* These compilers are either not known or too old to define an
+  identification macro.  Try to identify the platform and guess that
+  it is the native compiler.  */
+#elif defined(__hpux) || defined(__hpua)
+# define COMPILER_ID "HP"
+
+#else /* unknown compiler */
+# define COMPILER_ID ""
+#endif
+
+/* Construct the string literal in pieces to prevent the source from
+   getting matched.  Store it in a pointer rather than an array
+   because some compilers will just produce instructions to fill the
+   array rather than assigning a pointer to a static array.  */
+char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]";
+#ifdef SIMULATE_ID
+char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]";
+#endif
+
+#ifdef __QNXNTO__
+char const* qnxnto = "INFO" ":" "qnxnto[]";
+#endif
+
+#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
+char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]";
+#endif
+
+#define STRINGIFY_HELPER(X) #X
+#define STRINGIFY(X) STRINGIFY_HELPER(X)
+
+/* Identify known platforms by name.  */
+#if defined(__linux) || defined(__linux__) || defined(linux)
+# define PLATFORM_ID "Linux"
+
+#elif defined(__MSYS__)
+# define PLATFORM_ID "MSYS"
+
+#elif defined(__CYGWIN__)
+# define PLATFORM_ID "Cygwin"
+
+#elif defined(__MINGW32__)
+# define PLATFORM_ID "MinGW"
+
+#elif defined(__APPLE__)
+# define PLATFORM_ID "Darwin"
+
+#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
+# define PLATFORM_ID "Windows"
+
+#elif defined(__FreeBSD__) || defined(__FreeBSD)
+# define PLATFORM_ID "FreeBSD"
+
+#elif defined(__NetBSD__) || defined(__NetBSD)
+# define PLATFORM_ID "NetBSD"
+
+#elif defined(__OpenBSD__) || defined(__OPENBSD)
+# define PLATFORM_ID "OpenBSD"
+
+#elif defined(__sun) || defined(sun)
+# define PLATFORM_ID "SunOS"
+
+#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__)
+# define PLATFORM_ID "AIX"
+
+#elif defined(__hpux) || defined(__hpux__)
+# define PLATFORM_ID "HP-UX"
+
+#elif defined(__HAIKU__)
+# define PLATFORM_ID "Haiku"
+
+#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS)
+# define PLATFORM_ID "BeOS"
+
+#elif defined(__QNX__) || defined(__QNXNTO__)
+# define PLATFORM_ID "QNX"
+
+#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__)
+# define PLATFORM_ID "Tru64"
+
+#elif defined(__riscos) || defined(__riscos__)
+# define PLATFORM_ID "RISCos"
+
+#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__)
+# define PLATFORM_ID "SINIX"
+
+#elif defined(__UNIX_SV__)
+# define PLATFORM_ID "UNIX_SV"
+
+#elif defined(__bsdos__)
+# define PLATFORM_ID "BSDOS"
+
+#elif defined(_MPRAS) || defined(MPRAS)
+# define PLATFORM_ID "MP-RAS"
+
+#elif defined(__osf) || defined(__osf__)
+# define PLATFORM_ID "OSF1"
+
+#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv)
+# define PLATFORM_ID "SCO_SV"
+
+#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX)
+# define PLATFORM_ID "ULTRIX"
+
+#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX)
+# define PLATFORM_ID "Xenix"
+
+#elif defined(__WATCOMC__)
+# if defined(__LINUX__)
+#  define PLATFORM_ID "Linux"
+
+# elif defined(__DOS__)
+#  define PLATFORM_ID "DOS"
+
+# elif defined(__OS2__)
+#  define PLATFORM_ID "OS2"
+
+# elif defined(__WINDOWS__)
+#  define PLATFORM_ID "Windows3x"
+
+# elif defined(__VXWORKS__)
+#  define PLATFORM_ID "VxWorks"
+
+# else /* unknown platform */
+#  define PLATFORM_ID
+# endif
+
+#elif defined(__INTEGRITY)
+# if defined(INT_178B)
+#  define PLATFORM_ID "Integrity178"
+
+# else /* regular Integrity */
+#  define PLATFORM_ID "Integrity"
+# endif
+
+# elif defined(_ADI_COMPILER)
+#  define PLATFORM_ID "ADSP"
+
+#else /* unknown platform */
+# define PLATFORM_ID
+
+#endif
+
+/* For windows compilers MSVC and Intel we can determine
+   the architecture of the compiler being used.  This is because
+   the compilers do not have flags that can change the architecture,
+   but rather depend on which compiler is being used
+*/
+#if defined(_WIN32) && defined(_MSC_VER)
+# if defined(_M_IA64)
+#  define ARCHITECTURE_ID "IA64"
+
+# elif defined(_M_ARM64EC)
+#  define ARCHITECTURE_ID "ARM64EC"
+
+# elif defined(_M_X64) || defined(_M_AMD64)
+#  define ARCHITECTURE_ID "x64"
+
+# elif defined(_M_IX86)
+#  define ARCHITECTURE_ID "X86"
+
+# elif defined(_M_ARM64)
+#  define ARCHITECTURE_ID "ARM64"
+
+# elif defined(_M_ARM)
+#  if _M_ARM == 4
+#   define ARCHITECTURE_ID "ARMV4I"
+#  elif _M_ARM == 5
+#   define ARCHITECTURE_ID "ARMV5I"
+#  else
+#   define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM)
+#  endif
+
+# elif defined(_M_MIPS)
+#  define ARCHITECTURE_ID "MIPS"
+
+# elif defined(_M_SH)
+#  define ARCHITECTURE_ID "SHx"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__WATCOMC__)
+# if defined(_M_I86)
+#  define ARCHITECTURE_ID "I86"
+
+# elif defined(_M_IX86)
+#  define ARCHITECTURE_ID "X86"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
+# if defined(__ICCARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__ICCRX__)
+#  define ARCHITECTURE_ID "RX"
+
+# elif defined(__ICCRH850__)
+#  define ARCHITECTURE_ID "RH850"
+
+# elif defined(__ICCRL78__)
+#  define ARCHITECTURE_ID "RL78"
+
+# elif defined(__ICCRISCV__)
+#  define ARCHITECTURE_ID "RISCV"
+
+# elif defined(__ICCAVR__)
+#  define ARCHITECTURE_ID "AVR"
+
+# elif defined(__ICC430__)
+#  define ARCHITECTURE_ID "MSP430"
+
+# elif defined(__ICCV850__)
+#  define ARCHITECTURE_ID "V850"
+
+# elif defined(__ICC8051__)
+#  define ARCHITECTURE_ID "8051"
+
+# elif defined(__ICCSTM8__)
+#  define ARCHITECTURE_ID "STM8"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__ghs__)
+# if defined(__PPC64__)
+#  define ARCHITECTURE_ID "PPC64"
+
+# elif defined(__ppc__)
+#  define ARCHITECTURE_ID "PPC"
+
+# elif defined(__ARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__x86_64__)
+#  define ARCHITECTURE_ID "x64"
+
+# elif defined(__i386__)
+#  define ARCHITECTURE_ID "X86"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__TI_COMPILER_VERSION__)
+# if defined(__TI_ARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__MSP430__)
+#  define ARCHITECTURE_ID "MSP430"
+
+# elif defined(__TMS320C28XX__)
+#  define ARCHITECTURE_ID "TMS320C28x"
+
+# elif defined(__TMS320C6X__) || defined(_TMS320C6X)
+#  define ARCHITECTURE_ID "TMS320C6x"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+# elif defined(__ADSPSHARC__)
+#  define ARCHITECTURE_ID "SHARC"
+
+# elif defined(__ADSPBLACKFIN__)
+#  define ARCHITECTURE_ID "Blackfin"
+
+#elif defined(__TASKING__)
+
+# if defined(__CTC__) || defined(__CPTC__)
+#  define ARCHITECTURE_ID "TriCore"
+
+# elif defined(__CMCS__)
+#  define ARCHITECTURE_ID "MCS"
+
+# elif defined(__CARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__CARC__)
+#  define ARCHITECTURE_ID "ARC"
+
+# elif defined(__C51__)
+#  define ARCHITECTURE_ID "8051"
+
+# elif defined(__CPCP__)
+#  define ARCHITECTURE_ID "PCP"
+
+# else
+#  define ARCHITECTURE_ID ""
+# endif
+
+#else
+#  define ARCHITECTURE_ID
+#endif
+
+/* Convert integer to decimal digit literals.  */
+#define DEC(n)                   \
+  ('0' + (((n) / 10000000)%10)), \
+  ('0' + (((n) / 1000000)%10)),  \
+  ('0' + (((n) / 100000)%10)),   \
+  ('0' + (((n) / 10000)%10)),    \
+  ('0' + (((n) / 1000)%10)),     \
+  ('0' + (((n) / 100)%10)),      \
+  ('0' + (((n) / 10)%10)),       \
+  ('0' +  ((n) % 10))
+
+/* Convert integer to hex digit literals.  */
+#define HEX(n)             \
+  ('0' + ((n)>>28 & 0xF)), \
+  ('0' + ((n)>>24 & 0xF)), \
+  ('0' + ((n)>>20 & 0xF)), \
+  ('0' + ((n)>>16 & 0xF)), \
+  ('0' + ((n)>>12 & 0xF)), \
+  ('0' + ((n)>>8  & 0xF)), \
+  ('0' + ((n)>>4  & 0xF)), \
+  ('0' + ((n)     & 0xF))
+
+/* Construct a string literal encoding the version number. */
+#ifdef COMPILER_VERSION
+char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]";
+
+/* Construct a string literal encoding the version number components. */
+#elif defined(COMPILER_VERSION_MAJOR)
+char const info_version[] = {
+  'I', 'N', 'F', 'O', ':',
+  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[',
+  COMPILER_VERSION_MAJOR,
+# ifdef COMPILER_VERSION_MINOR
+  '.', COMPILER_VERSION_MINOR,
+#  ifdef COMPILER_VERSION_PATCH
+   '.', COMPILER_VERSION_PATCH,
+#   ifdef COMPILER_VERSION_TWEAK
+    '.', COMPILER_VERSION_TWEAK,
+#   endif
+#  endif
+# endif
+  ']','\0'};
+#endif
+
+/* Construct a string literal encoding the internal version number. */
+#ifdef COMPILER_VERSION_INTERNAL
+char const info_version_internal[] = {
+  'I', 'N', 'F', 'O', ':',
+  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_',
+  'i','n','t','e','r','n','a','l','[',
+  COMPILER_VERSION_INTERNAL,']','\0'};
+#elif defined(COMPILER_VERSION_INTERNAL_STR)
+char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]";
+#endif
+
+/* Construct a string literal encoding the version number components. */
+#ifdef SIMULATE_VERSION_MAJOR
+char const info_simulate_version[] = {
+  'I', 'N', 'F', 'O', ':',
+  's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[',
+  SIMULATE_VERSION_MAJOR,
+# ifdef SIMULATE_VERSION_MINOR
+  '.', SIMULATE_VERSION_MINOR,
+#  ifdef SIMULATE_VERSION_PATCH
+   '.', SIMULATE_VERSION_PATCH,
+#   ifdef SIMULATE_VERSION_TWEAK
+    '.', SIMULATE_VERSION_TWEAK,
+#   endif
+#  endif
+# endif
+  ']','\0'};
+#endif
+
+/* Construct the string literal in pieces to prevent the source from
+   getting matched.  Store it in a pointer rather than an array
+   because some compilers will just produce instructions to fill the
+   array rather than assigning a pointer to a static array.  */
+char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]";
+char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]";
+
+
+
+#if !defined(__STDC__) && !defined(__clang__)
+# if defined(_MSC_VER) || defined(__ibmxl__) || defined(__IBMC__)
+#  define C_VERSION "90"
+# else
+#  define C_VERSION
+# endif
+#elif __STDC_VERSION__ > 201710L
+# define C_VERSION "23"
+#elif __STDC_VERSION__ >= 201710L
+# define C_VERSION "17"
+#elif __STDC_VERSION__ >= 201000L
+# define C_VERSION "11"
+#elif __STDC_VERSION__ >= 199901L
+# define C_VERSION "99"
+#else
+# define C_VERSION "90"
+#endif
+const char* info_language_standard_default =
+  "INFO" ":" "standard_default[" C_VERSION "]";
+
+const char* info_language_extensions_default = "INFO" ":" "extensions_default["
+#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) ||           \
+     defined(__TI_COMPILER_VERSION__)) &&                                     \
+  !defined(__STRICT_ANSI__)
+  "ON"
+#else
+  "OFF"
+#endif
+"]";
+
+/*--------------------------------------------------------------------------*/
+
+#ifdef ID_VOID_MAIN
+void main() {}
+#else
+# if defined(__CLASSIC_C__)
+int main(argc, argv) int argc; char *argv[];
+# else
+int main(int argc, char* argv[])
+# endif
+{
+  int require = 0;
+  require += info_compiler[argc];
+  require += info_platform[argc];
+  require += info_arch[argc];
+#ifdef COMPILER_VERSION_MAJOR
+  require += info_version[argc];
+#endif
+#ifdef COMPILER_VERSION_INTERNAL
+  require += info_version_internal[argc];
+#endif
+#ifdef SIMULATE_ID
+  require += info_simulate[argc];
+#endif
+#ifdef SIMULATE_VERSION_MAJOR
+  require += info_simulate_version[argc];
+#endif
+#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
+  require += info_cray[argc];
+#endif
+  require += info_language_standard_default[argc];
+  require += info_language_extensions_default[argc];
+  (void)argv;
+  return require;
+}
+#endif
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
new file mode 100755
index 0000000000000000000000000000000000000000..59cce56d0864b921fa3ad5b3107537b269645584
GIT binary patch
literal 80632
zcmeI3eQX@Zb->@<k)mYkgOp`UmTl=|6R5027m`ve+7aMAk`hT&5>=T=6v*jn?`}yR
zblfBMmJSsMHIw*{v<U(cQEMS-3Lz*E=L<*xA+ZxUQHmmPk)lu?I~7o*m5n$M5TjL`
zq!0_!*Y{@T9e4NkXeC8~xOfBXy`4Ajy_xyV?Cj?~dFaUDbSed$((oOioYihAmHq{o
z-?w68!2qlS3wFT0um-K#aAP~m?6JIQ+*qzfTS^(+$ZsG`Ig%EMhP+$l09bPEB->4y
z7M96rIlNA1S%T_~{-w5FU)JT<m-A|e<!RH7X(QQ>vgCKu_}w&qEU%b`vE=?y-)NgK
z@g~w1<|uEGfMNB!BFUE0@z;V9?H@FO4z9IGjd?9w`TYs{Q9Exnbs57GroL8Owwd;`
z<Z*aUrCfMVrL?zF_U7jII*wnQesF)TR?YS4es96}G{z&x-VZmw^v3C5{>5j%x2xyJ
z|MaDs&p-d#0}GwhM`{DbBO6L&-=X%jp31mBqkdaK_L~!|9ztC<K~FU&>2F7UQk+r?
zd$4UJQnYJ<;|KPPQ})0qRQ&)*OI#j=kt1V+Lw0|z??7XB-+r*iCXU)A*LSDNwZQc!
zjt*6-o;%?bDlW#HnyGpwrmamA4FS?fDuo1@R|++EVOx2epI-bcoE{mt-{>x>d>V3?
zr*x&BS2BeI(>MfBb2X%=@!@nWq>mntgUTe0akwp{SPLuqaGb7?p5_FnNAAzOy!^xu
zzOtNwMI5{H%TN69nIE9;a>o8C+mO70HaAdozcsSd_39&w+4Rnz?#yOh=B+CQ=epC@
zQdb&OnaZ!h{C%PPZI~a_`Ecx8*|&Q#FW(CbFYdtYwG4dqm5jCY>iw|z3v4&~pMxuR
zEM~B*4Y!}w>rek2H}V+(*g|cjed^OS>;t?$vSa~V`j>irE9s~lA)bS5Y7v*{bGuMJ
z0`SYrxQx7l_Pef+EIDX@Ba`|nV80ccnEft*AK&-plRwF?|M;hOy_x^q57GWr^c}o0
zvQ$vM>4q=Wr@4P$asPEEEZvUrPT!Y*XaV58)c!0ioH%`7>Y-nET1(4M{9R*Am^bz3
z-?9DmPr^T6+XT<Ol7XfAPIylBV*wUZU@cwSwD4RO;L`xsLs-7&+D_{^oGqQ#*zV#j
z+FiZ{I~;@5!j45%=k)1;#QLt?LLA}>I1X>qe(DSMeUZi@Jcr}+myXYH8asA){NZAC
zX0}{${ZqIiepr`A^!DSfUn^I=Q@twn_2=|XZ(n1_xPkJUtvJDC)t@<agjQ))r1Z2}
zpVF2pkBgR9a{LmmLzB*2B{<c0AQH!&4_uEbt~D&ik9`<YcW2&bVKZsXZd<O`Pof+~
zSwUGs`4r0YC@-LV3FX&OZh5O-e+lJ1C|^g(>r?8ZC!lS9N9ykNJC$x5mi_IU_4+}S
zknh+*=aYBib_I2Oj-?{<AI9w}>U&9niFDMK->^UK_uxkD%3?bPP(prheq;8FZGV#)
z{9JnU-+uO!ji^C2)pH)V0kjL(LwaieZq&D>a0k7g+=x<=5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$tEe?Z{)8cX$}%gB`J(_KccH}XQ8rS>+M{9_$D&vw_B^Qz=-Q@+;7
z?MB`(<@dzOfBROwN~#NKiv+Z*Ux3k!rS{gC{IhADzs=<T%*ak7w;6edkt{N1=XzbY
zFKzOpMs6{(!^o{h9yk4E{aTafezE^LW6$-!RoDHwYT92n`IND{Ve&sR<wpH~CT<$;
zziS1TO@HH(<9y1D|5YPz7zt}FWs)^=WN7H&?Cz0c?|&fM*PrXl^=12e`}=#}+j}6p
z`-EG{jyi!U*xUC2dJ^9*ih#gI@;#}2P9Iq97HQyPMkd*O%9Q=}DmFZap9zg+ye^*C
z)22U3bzL-doHWNwk`2dU`TN>%TQ9BBW^QX>+Dykpq+hdry$2qI21n+ZC8(4%>vn(6
z^UB^-cB)v64;EyV;fk%}dDTMMOSI)Rf#c3r=BCipb7tI!v&NCa@v*Dz_Kb{w5Gw6>
zfUb$uwI@x-@TQ3FUA4d|p0SG+r#206d!%enanhdktASe#%2khI^O|MqIXr%1V(jpT
zpiXXgMtt8ja%609=;TQ||LCKK&}#hHqgWnmPY1Q9J>s{EhBqFoI#UkpNgsP{&sNJ`
z;QDA2Ys(s3A5<d$d+CRg9*=_Wc*W^ZUmh;Glg?ZvAQKs58Dlw)<v5nLTGnd3PHLC)
zF`X4LsdJ~CkL8+6uDQ(hu3T5^l|inn)!HccPIB)g_fB%}B==5o?<Dt5a_{tq`z({6
z_p{7KujAx-b^e|Iyqd?BrHpaYdxUrVJBbDJzKq||$r!(L$C%!i(YwWzzL!jV#}yxM
ze&?lq_9VW4Gw~AVI##!8%HV^Jfwa|RlYul$B<eFTpQvwZe1{MYmch4u&nDWhX?&*;
zweNtW_xl-qyUpJPMD5oBe_s&Q-v<00LR8-g{4P7HUl07gKC0i)c=sFCZv=in9o27w
zd48WCD#+l-A2jdvLu$xCH!LLTHv@kc61Be__<NA3ehVahuaJQ|;05#jM%4aJ;O{!3
z`mL}H2E!_~pF!<tqQ3FQI^vUo?QlG1kJBF7;8*J1aoAYB0LHhwd|%0B`W^QM2+SJD
zdi|YAH=K`gQ{T&^H#EL=h}v(5;cd}=<;Wnx{;<)<+oS8<4(C(RIDgv0{-Z7Q9LMU2
z#(BDh{j)9f9Ow1*(Ks))u>Va9J;%AQIT~jJ4H)uC=Fq$j>_Ph!&S+jAvQ!_Y{U#1y
zr)Vtz*SmXrwBF$s_9s_u&vuy4MB`Li*gw@m&+X}17mf497WUt5q31YPHb&#T*uwrl
zTIe~>$F@Y{WYS2m<+wDjKld1WKDWgAufHc6f4{NkYYw(QzG}VO;j#8;oJtG(&$Q5U
zf7f<K<9wrq{fjO19OqJ3G|n3>?C+$HQd;ud4yW&o#@W}xe!}SEoS!iII8R>p;`X}z
z-SA9oeY=QpR$D*g@xP4rX<S!Xzr_rsuDAI-sP)a~wM(nk+X?)g70(ln!{1i1{(Gy&
z*#H+~>->*Q`{Vi-jQ&c@UUS<73$gR>zZ!e~PLtd7E7Ye#=QTPEDd{-P=h<at->mOx
z)13KxP#uNiG@r+N(LM#udLH-7v2oY>=JW43#z~qF%z?i%jJ9VhWMk)Lo`?KRUevxD
zcCWKorDS2%db`1j*`HDUZPrt;r1qax_RZHbpFllbLC3G7{!-aDU+3t4HDA|#4ed8m
zs91Ud_1Tz?vK#P&wJgqx_;u0G(Y`A*e;Tf6Px|=v&l}2qYtwbq616AYeB9Md{CJ#B
z6~DPX+f+Lnt!V805$e0s&Bw)l)F*K`ME3aAAYaE~GgO*T`mM0r%pc7cpkVY?O#jEY
z-X?MQB-M-SEw6hVr<?Sl>%fDi-Y=N=Ja5_lE2vM3|1G1BU$0VMDL&8hHgmu~Pw~^u
z<MI!t-ho)ZuA@F{+7=dR{Md1GI$>Q!J@LHQVJY)|<8+78Z-w4id?@-sU#<#0^I+Q_
z@ts+F#wmNyQ-YlNRK<1*W!uB=G;_ryo$Y#wwz=tQ(8|75S#Hj&l+U=8vn?H0Gsxk`
zrhYIt+tPWJ@|-(gZrxl}Xe$tbGqn=G?3IHs6`hX~(Yk1lSL~AX2^2yO%>+yhO}z^_
zwJ3}AI^+<=f$l-MX!~xZS`7C$s*m<NS{ChRw2b^#D^K8&5TKb$)TnuOM9WnxP!*j)
zQJWaAXrT%a<z|;E8k!Thwy~ZqySgbW)2Njh9a(sImhtc`I+cq35!X3mPkN;DNaqIy
z7eCm>-ID9$UJXB8wu2e`+`8(yH9Ve6ReP#ZEjSgs6jc41?aa+Xu{twbaRaxM>rJ+>
zCvhIwj_*5Xu}gt}7WB8#rMa1zv*;4a*)(G!rb9=aGw#q3)={pw{#XfT3pSGmxQeca
zPvnmtvJV{_wr#M7KXfdAbZiLK_^$)|(5NXL9X<i}$dU2E{1JQn@Zm=fP1qCp!6S#z
z!>*JIMdIiOYL&9oQz*MXw{Jh#V-rX16$}$chX}%iQ>eJ;Sg6&EABJ&DPT+v*rYXYq
zQHyLU&~})anyGp#PIjqQwWl4ggz=n0)ejn#_Z`5>$I-G>_UyTuTY|DTS+!>?PB2;Z
zXLPROcvExElxw^5NTY@yyw|X``YZ7k!>=7_xCkXSh+Em{4C=6-hNr5uQ4K=!N{(Mz
zsf76OB#F|YLDZE!?)ua;opJo)G(fI)b|!ENC<9;1Y2H(x%HwLQ&J9!ET&^%zu9Wtc
z@pPb6`N6ThYPqDcY5E61u5{MJcv=QN<fw!z4QFgD!_~$i2eUVe-_z$*Q*!}Agd9y%
zEUT)~%(>HMVosOPmvh=f&rt2b`xw}nDdQP!icVAblT#JwU`QBpNPY(Aziy=JTFwaq
zzg(CL@ZkF2Ci?#sT@ui3BBg<}MFOP~!2i$EIc>}PB=5(q12^{P=cf}!(L+X|#Mf1<
z!oQhB{P{V`yz$Snp^<U_VbuQ@{zr=IzmT?+<prbQ|BvD2i%NVQWwLM#cj%cL`#+nu
zFbDYjRtY$#h5Aniabo{%M*jhnc#G8V=l`LNk`fdD?@Z^K`O$MU{6j~h{rnu5?gJ_D
z|LM5>+)kEf(1!j)#(92TeAW2(swnzDDdF}THPG`qV#@yfTzRblJ!%ZO{&@eNGX8_c
zj-NjtPw=OA0dfD&qK?{ymxU_vbLtDmpU2M>tG4n!$v?*}?9b1$FB|{kVPo8<cM;)q
z9y4Ko%iLdEro-wvQpmvy?bGh(aSQwN^YO>%puoiQMCUYX-Y0nxH}YrxeE%_T{Qn-y
z!io8@?it((`}2L`L1Q?~hDI7J4ehsM{`_2i!T7&j{g=^yBW`B8HJ;yJUq&USczZd|
z@*mNL{;S3Q{G9*BE&5+YUz$7Y&+h|n8viQ<2NTaPu9xS*D_BM*?9cBFUNBGWvse~R
z?9cKSSQz%__Y2pJKOcV_gZ)_kXUw1Px3{UNfcHt!#D1*(E$)zx+t2rZqsBjOZ*Z_X
z{5S5AE?y7&tM>&BYi&zej+4P1nyL$=#KiaQ^TuM!4z1^Rdhz*3ad_@)OZ|Iphpyq9
x#*x;6$8qES@Nq@|r{%tDPyK7XTl??ifj5O(yJFdmyGj0bzqY(9<`B!m{{a6BpB4ZB

literal 0
HcmV?d00001

diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
new file mode 100644
index 000000000000..746b1672e640
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
@@ -0,0 +1,855 @@
+/* This source file must have a .cpp extension so that all C++ compilers
+   recognize the extension without flags.  Borland does not know .cxx for
+   example.  */
+#ifndef __cplusplus
+# error "A C compiler has been selected for C++."
+#endif
+
+#if !defined(__has_include)
+/* If the compiler does not have __has_include, pretend the answer is
+   always no.  */
+#  define __has_include(x) 0
+#endif
+
+
+/* Version number components: V=Version, R=Revision, P=Patch
+   Version date components:   YYYY=Year, MM=Month,   DD=Day  */
+
+#if defined(__COMO__)
+# define COMPILER_ID "Comeau"
+  /* __COMO_VERSION__ = VRR */
+# define COMPILER_VERSION_MAJOR DEC(__COMO_VERSION__ / 100)
+# define COMPILER_VERSION_MINOR DEC(__COMO_VERSION__ % 100)
+
+#elif defined(__INTEL_COMPILER) || defined(__ICC)
+# define COMPILER_ID "Intel"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# if defined(__GNUC__)
+#  define SIMULATE_ID "GNU"
+# endif
+  /* __INTEL_COMPILER = VRP prior to 2021, and then VVVV for 2021 and later,
+     except that a few beta releases use the old format with V=2021.  */
+# if __INTEL_COMPILER < 2021 || __INTEL_COMPILER == 202110 || __INTEL_COMPILER == 202111
+#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER/100)
+#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER/10 % 10)
+#  if defined(__INTEL_COMPILER_UPDATE)
+#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER_UPDATE)
+#  else
+#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER   % 10)
+#  endif
+# else
+#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER)
+#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER_UPDATE)
+   /* The third version component from --version is an update index,
+      but no macro is provided for it.  */
+#  define COMPILER_VERSION_PATCH DEC(0)
+# endif
+# if defined(__INTEL_COMPILER_BUILD_DATE)
+   /* __INTEL_COMPILER_BUILD_DATE = YYYYMMDD */
+#  define COMPILER_VERSION_TWEAK DEC(__INTEL_COMPILER_BUILD_DATE)
+# endif
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+# if defined(__GNUC__)
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+# elif defined(__GNUG__)
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
+# endif
+# if defined(__GNUC_MINOR__)
+#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+# endif
+# if defined(__GNUC_PATCHLEVEL__)
+#  define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+# endif
+
+#elif (defined(__clang__) && defined(__INTEL_CLANG_COMPILER)) || defined(__INTEL_LLVM_COMPILER)
+# define COMPILER_ID "IntelLLVM"
+#if defined(_MSC_VER)
+# define SIMULATE_ID "MSVC"
+#endif
+#if defined(__GNUC__)
+# define SIMULATE_ID "GNU"
+#endif
+/* __INTEL_LLVM_COMPILER = VVVVRP prior to 2021.2.0, VVVVRRPP for 2021.2.0 and
+ * later.  Look for 6 digit vs. 8 digit version number to decide encoding.
+ * VVVV is no smaller than the current year when a version is released.
+ */
+#if __INTEL_LLVM_COMPILER < 1000000L
+# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/100)
+# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER    % 10)
+#else
+# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/10000)
+# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/100 % 100)
+# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER     % 100)
+#endif
+#if defined(_MSC_VER)
+  /* _MSC_VER = VVRR */
+# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+#endif
+#if defined(__GNUC__)
+# define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+#elif defined(__GNUG__)
+# define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
+#endif
+#if defined(__GNUC_MINOR__)
+# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+#endif
+#if defined(__GNUC_PATCHLEVEL__)
+# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+#endif
+
+#elif defined(__PATHCC__)
+# define COMPILER_ID "PathScale"
+# define COMPILER_VERSION_MAJOR DEC(__PATHCC__)
+# define COMPILER_VERSION_MINOR DEC(__PATHCC_MINOR__)
+# if defined(__PATHCC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__PATHCC_PATCHLEVEL__)
+# endif
+
+#elif defined(__BORLANDC__) && defined(__CODEGEARC_VERSION__)
+# define COMPILER_ID "Embarcadero"
+# define COMPILER_VERSION_MAJOR HEX(__CODEGEARC_VERSION__>>24 & 0x00FF)
+# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF)
+# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__     & 0xFFFF)
+
+#elif defined(__BORLANDC__)
+# define COMPILER_ID "Borland"
+  /* __BORLANDC__ = 0xVRR */
+# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8)
+# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF)
+
+#elif defined(__WATCOMC__) && __WATCOMC__ < 1200
+# define COMPILER_ID "Watcom"
+   /* __WATCOMC__ = VVRR */
+# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100)
+# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
+# if (__WATCOMC__ % 10) > 0
+#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
+# endif
+
+#elif defined(__WATCOMC__)
+# define COMPILER_ID "OpenWatcom"
+   /* __WATCOMC__ = VVRP + 1100 */
+# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100)
+# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
+# if (__WATCOMC__ % 10) > 0
+#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
+# endif
+
+#elif defined(__SUNPRO_CC)
+# define COMPILER_ID "SunPro"
+# if __SUNPRO_CC >= 0x5100
+   /* __SUNPRO_CC = 0xVRRP */
+#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>12)
+#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xFF)
+#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC    & 0xF)
+# else
+   /* __SUNPRO_CC = 0xVRP */
+#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>8)
+#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xF)
+#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC    & 0xF)
+# endif
+
+#elif defined(__HP_aCC)
+# define COMPILER_ID "HP"
+  /* __HP_aCC = VVRRPP */
+# define COMPILER_VERSION_MAJOR DEC(__HP_aCC/10000)
+# define COMPILER_VERSION_MINOR DEC(__HP_aCC/100 % 100)
+# define COMPILER_VERSION_PATCH DEC(__HP_aCC     % 100)
+
+#elif defined(__DECCXX)
+# define COMPILER_ID "Compaq"
+  /* __DECCXX_VER = VVRRTPPPP */
+# define COMPILER_VERSION_MAJOR DEC(__DECCXX_VER/10000000)
+# define COMPILER_VERSION_MINOR DEC(__DECCXX_VER/100000  % 100)
+# define COMPILER_VERSION_PATCH DEC(__DECCXX_VER         % 10000)
+
+#elif defined(__IBMCPP__) && defined(__COMPILER_VER__)
+# define COMPILER_ID "zOS"
+  /* __IBMCPP__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
+
+#elif defined(__open_xl__) && defined(__clang__)
+# define COMPILER_ID "IBMClang"
+# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__)
+# define COMPILER_VERSION_MINOR DEC(__open_xl_release__)
+# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__)
+# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__)
+
+
+#elif defined(__ibmxl__) && defined(__clang__)
+# define COMPILER_ID "XLClang"
+# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__)
+# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__)
+# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__)
+# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__)
+
+
+#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ >= 800
+# define COMPILER_ID "XL"
+  /* __IBMCPP__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
+
+#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ < 800
+# define COMPILER_ID "VisualAge"
+  /* __IBMCPP__ = VRP */
+# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
+# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
+
+#elif defined(__NVCOMPILER)
+# define COMPILER_ID "NVHPC"
+# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__)
+# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__)
+# if defined(__NVCOMPILER_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__)
+# endif
+
+#elif defined(__PGI)
+# define COMPILER_ID "PGI"
+# define COMPILER_VERSION_MAJOR DEC(__PGIC__)
+# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__)
+# if defined(__PGIC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__)
+# endif
+
+#elif defined(_CRAYC)
+# define COMPILER_ID "Cray"
+# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR)
+# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR)
+
+#elif defined(__TI_COMPILER_VERSION__)
+# define COMPILER_ID "TI"
+  /* __TI_COMPILER_VERSION__ = VVVRRRPPP */
+# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000)
+# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000   % 1000)
+# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__        % 1000)
+
+#elif defined(__CLANG_FUJITSU)
+# define COMPILER_ID "FujitsuClang"
+# define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
+# define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
+# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
+# define COMPILER_VERSION_INTERNAL_STR __clang_version__
+
+
+#elif defined(__FUJITSU)
+# define COMPILER_ID "Fujitsu"
+# if defined(__FCC_version__)
+#   define COMPILER_VERSION __FCC_version__
+# elif defined(__FCC_major__)
+#   define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
+#   define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
+#   define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
+# endif
+# if defined(__fcc_version)
+#   define COMPILER_VERSION_INTERNAL DEC(__fcc_version)
+# elif defined(__FCC_VERSION)
+#   define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION)
+# endif
+
+
+#elif defined(__ghs__)
+# define COMPILER_ID "GHS"
+/* __GHS_VERSION_NUMBER = VVVVRP */
+# ifdef __GHS_VERSION_NUMBER
+# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100)
+# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10)
+# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER      % 10)
+# endif
+
+#elif defined(__TASKING__)
+# define COMPILER_ID "Tasking"
+  # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000)
+  # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100)
+# define COMPILER_VERSION_INTERNAL DEC(__VERSION__)
+
+#elif defined(__SCO_VERSION__)
+# define COMPILER_ID "SCO"
+
+#elif defined(__ARMCC_VERSION) && !defined(__clang__)
+# define COMPILER_ID "ARMCC"
+#if __ARMCC_VERSION >= 1000000
+  /* __ARMCC_VERSION = VRRPPPP */
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION     % 10000)
+#else
+  /* __ARMCC_VERSION = VRPPPP */
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION    % 10000)
+#endif
+
+
+#elif defined(__clang__) && defined(__apple_build_version__)
+# define COMPILER_ID "AppleClang"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
+# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
+# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__)
+
+#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION)
+# define COMPILER_ID "ARMClang"
+  # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000)
+  # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100)
+  # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION     % 10000)
+# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION)
+
+#elif defined(__clang__)
+# define COMPILER_ID "Clang"
+# if defined(_MSC_VER)
+#  define SIMULATE_ID "MSVC"
+# endif
+# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
+# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
+# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
+# if defined(_MSC_VER)
+   /* _MSC_VER = VVRR */
+#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
+#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
+# endif
+
+#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__))
+# define COMPILER_ID "LCC"
+# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100)
+# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100)
+# if defined(__LCC_MINOR__)
+#  define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__)
+# endif
+# if defined(__GNUC__) && defined(__GNUC_MINOR__)
+#  define SIMULATE_ID "GNU"
+#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
+#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
+#  if defined(__GNUC_PATCHLEVEL__)
+#   define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+#  endif
+# endif
+
+#elif defined(__GNUC__) || defined(__GNUG__)
+# define COMPILER_ID "GNU"
+# if defined(__GNUC__)
+#  define COMPILER_VERSION_MAJOR DEC(__GNUC__)
+# else
+#  define COMPILER_VERSION_MAJOR DEC(__GNUG__)
+# endif
+# if defined(__GNUC_MINOR__)
+#  define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__)
+# endif
+# if defined(__GNUC_PATCHLEVEL__)
+#  define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
+# endif
+
+#elif defined(_MSC_VER)
+# define COMPILER_ID "MSVC"
+  /* _MSC_VER = VVRR */
+# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100)
+# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100)
+# if defined(_MSC_FULL_VER)
+#  if _MSC_VER >= 1400
+    /* _MSC_FULL_VER = VVRRPPPPP */
+#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000)
+#  else
+    /* _MSC_FULL_VER = VVRRPPPP */
+#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000)
+#  endif
+# endif
+# if defined(_MSC_BUILD)
+#  define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD)
+# endif
+
+#elif defined(_ADI_COMPILER)
+# define COMPILER_ID "ADSP"
+#if defined(__VERSIONNUM__)
+  /* __VERSIONNUM__ = 0xVVRRPPTT */
+#  define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF)
+#  define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF)
+#  define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF)
+#  define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF)
+#endif
+
+#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
+# define COMPILER_ID "IAR"
+# if defined(__VER__) && defined(__ICCARM__)
+#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000)
+#  define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000)
+#  define COMPILER_VERSION_PATCH DEC((__VER__) % 1000)
+#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
+# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__))
+#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 100)
+#  define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100))
+#  define COMPILER_VERSION_PATCH DEC(__SUBVERSION__)
+#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
+# endif
+
+
+/* These compilers are either not known or too old to define an
+  identification macro.  Try to identify the platform and guess that
+  it is the native compiler.  */
+#elif defined(__hpux) || defined(__hpua)
+# define COMPILER_ID "HP"
+
+#else /* unknown compiler */
+# define COMPILER_ID ""
+#endif
+
+/* Construct the string literal in pieces to prevent the source from
+   getting matched.  Store it in a pointer rather than an array
+   because some compilers will just produce instructions to fill the
+   array rather than assigning a pointer to a static array.  */
+char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]";
+#ifdef SIMULATE_ID
+char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]";
+#endif
+
+#ifdef __QNXNTO__
+char const* qnxnto = "INFO" ":" "qnxnto[]";
+#endif
+
+#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
+char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]";
+#endif
+
+#define STRINGIFY_HELPER(X) #X
+#define STRINGIFY(X) STRINGIFY_HELPER(X)
+
+/* Identify known platforms by name.  */
+#if defined(__linux) || defined(__linux__) || defined(linux)
+# define PLATFORM_ID "Linux"
+
+#elif defined(__MSYS__)
+# define PLATFORM_ID "MSYS"
+
+#elif defined(__CYGWIN__)
+# define PLATFORM_ID "Cygwin"
+
+#elif defined(__MINGW32__)
+# define PLATFORM_ID "MinGW"
+
+#elif defined(__APPLE__)
+# define PLATFORM_ID "Darwin"
+
+#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
+# define PLATFORM_ID "Windows"
+
+#elif defined(__FreeBSD__) || defined(__FreeBSD)
+# define PLATFORM_ID "FreeBSD"
+
+#elif defined(__NetBSD__) || defined(__NetBSD)
+# define PLATFORM_ID "NetBSD"
+
+#elif defined(__OpenBSD__) || defined(__OPENBSD)
+# define PLATFORM_ID "OpenBSD"
+
+#elif defined(__sun) || defined(sun)
+# define PLATFORM_ID "SunOS"
+
+#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__)
+# define PLATFORM_ID "AIX"
+
+#elif defined(__hpux) || defined(__hpux__)
+# define PLATFORM_ID "HP-UX"
+
+#elif defined(__HAIKU__)
+# define PLATFORM_ID "Haiku"
+
+#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS)
+# define PLATFORM_ID "BeOS"
+
+#elif defined(__QNX__) || defined(__QNXNTO__)
+# define PLATFORM_ID "QNX"
+
+#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__)
+# define PLATFORM_ID "Tru64"
+
+#elif defined(__riscos) || defined(__riscos__)
+# define PLATFORM_ID "RISCos"
+
+#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__)
+# define PLATFORM_ID "SINIX"
+
+#elif defined(__UNIX_SV__)
+# define PLATFORM_ID "UNIX_SV"
+
+#elif defined(__bsdos__)
+# define PLATFORM_ID "BSDOS"
+
+#elif defined(_MPRAS) || defined(MPRAS)
+# define PLATFORM_ID "MP-RAS"
+
+#elif defined(__osf) || defined(__osf__)
+# define PLATFORM_ID "OSF1"
+
+#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv)
+# define PLATFORM_ID "SCO_SV"
+
+#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX)
+# define PLATFORM_ID "ULTRIX"
+
+#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX)
+# define PLATFORM_ID "Xenix"
+
+#elif defined(__WATCOMC__)
+# if defined(__LINUX__)
+#  define PLATFORM_ID "Linux"
+
+# elif defined(__DOS__)
+#  define PLATFORM_ID "DOS"
+
+# elif defined(__OS2__)
+#  define PLATFORM_ID "OS2"
+
+# elif defined(__WINDOWS__)
+#  define PLATFORM_ID "Windows3x"
+
+# elif defined(__VXWORKS__)
+#  define PLATFORM_ID "VxWorks"
+
+# else /* unknown platform */
+#  define PLATFORM_ID
+# endif
+
+#elif defined(__INTEGRITY)
+# if defined(INT_178B)
+#  define PLATFORM_ID "Integrity178"
+
+# else /* regular Integrity */
+#  define PLATFORM_ID "Integrity"
+# endif
+
+# elif defined(_ADI_COMPILER)
+#  define PLATFORM_ID "ADSP"
+
+#else /* unknown platform */
+# define PLATFORM_ID
+
+#endif
+
+/* For windows compilers MSVC and Intel we can determine
+   the architecture of the compiler being used.  This is because
+   the compilers do not have flags that can change the architecture,
+   but rather depend on which compiler is being used
+*/
+#if defined(_WIN32) && defined(_MSC_VER)
+# if defined(_M_IA64)
+#  define ARCHITECTURE_ID "IA64"
+
+# elif defined(_M_ARM64EC)
+#  define ARCHITECTURE_ID "ARM64EC"
+
+# elif defined(_M_X64) || defined(_M_AMD64)
+#  define ARCHITECTURE_ID "x64"
+
+# elif defined(_M_IX86)
+#  define ARCHITECTURE_ID "X86"
+
+# elif defined(_M_ARM64)
+#  define ARCHITECTURE_ID "ARM64"
+
+# elif defined(_M_ARM)
+#  if _M_ARM == 4
+#   define ARCHITECTURE_ID "ARMV4I"
+#  elif _M_ARM == 5
+#   define ARCHITECTURE_ID "ARMV5I"
+#  else
+#   define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM)
+#  endif
+
+# elif defined(_M_MIPS)
+#  define ARCHITECTURE_ID "MIPS"
+
+# elif defined(_M_SH)
+#  define ARCHITECTURE_ID "SHx"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__WATCOMC__)
+# if defined(_M_I86)
+#  define ARCHITECTURE_ID "I86"
+
+# elif defined(_M_IX86)
+#  define ARCHITECTURE_ID "X86"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
+# if defined(__ICCARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__ICCRX__)
+#  define ARCHITECTURE_ID "RX"
+
+# elif defined(__ICCRH850__)
+#  define ARCHITECTURE_ID "RH850"
+
+# elif defined(__ICCRL78__)
+#  define ARCHITECTURE_ID "RL78"
+
+# elif defined(__ICCRISCV__)
+#  define ARCHITECTURE_ID "RISCV"
+
+# elif defined(__ICCAVR__)
+#  define ARCHITECTURE_ID "AVR"
+
+# elif defined(__ICC430__)
+#  define ARCHITECTURE_ID "MSP430"
+
+# elif defined(__ICCV850__)
+#  define ARCHITECTURE_ID "V850"
+
+# elif defined(__ICC8051__)
+#  define ARCHITECTURE_ID "8051"
+
+# elif defined(__ICCSTM8__)
+#  define ARCHITECTURE_ID "STM8"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__ghs__)
+# if defined(__PPC64__)
+#  define ARCHITECTURE_ID "PPC64"
+
+# elif defined(__ppc__)
+#  define ARCHITECTURE_ID "PPC"
+
+# elif defined(__ARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__x86_64__)
+#  define ARCHITECTURE_ID "x64"
+
+# elif defined(__i386__)
+#  define ARCHITECTURE_ID "X86"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+#elif defined(__TI_COMPILER_VERSION__)
+# if defined(__TI_ARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__MSP430__)
+#  define ARCHITECTURE_ID "MSP430"
+
+# elif defined(__TMS320C28XX__)
+#  define ARCHITECTURE_ID "TMS320C28x"
+
+# elif defined(__TMS320C6X__) || defined(_TMS320C6X)
+#  define ARCHITECTURE_ID "TMS320C6x"
+
+# else /* unknown architecture */
+#  define ARCHITECTURE_ID ""
+# endif
+
+# elif defined(__ADSPSHARC__)
+#  define ARCHITECTURE_ID "SHARC"
+
+# elif defined(__ADSPBLACKFIN__)
+#  define ARCHITECTURE_ID "Blackfin"
+
+#elif defined(__TASKING__)
+
+# if defined(__CTC__) || defined(__CPTC__)
+#  define ARCHITECTURE_ID "TriCore"
+
+# elif defined(__CMCS__)
+#  define ARCHITECTURE_ID "MCS"
+
+# elif defined(__CARM__)
+#  define ARCHITECTURE_ID "ARM"
+
+# elif defined(__CARC__)
+#  define ARCHITECTURE_ID "ARC"
+
+# elif defined(__C51__)
+#  define ARCHITECTURE_ID "8051"
+
+# elif defined(__CPCP__)
+#  define ARCHITECTURE_ID "PCP"
+
+# else
+#  define ARCHITECTURE_ID ""
+# endif
+
+#else
+#  define ARCHITECTURE_ID
+#endif
+
+/* Convert integer to decimal digit literals.  */
+#define DEC(n)                   \
+  ('0' + (((n) / 10000000)%10)), \
+  ('0' + (((n) / 1000000)%10)),  \
+  ('0' + (((n) / 100000)%10)),   \
+  ('0' + (((n) / 10000)%10)),    \
+  ('0' + (((n) / 1000)%10)),     \
+  ('0' + (((n) / 100)%10)),      \
+  ('0' + (((n) / 10)%10)),       \
+  ('0' +  ((n) % 10))
+
+/* Convert integer to hex digit literals.  */
+#define HEX(n)             \
+  ('0' + ((n)>>28 & 0xF)), \
+  ('0' + ((n)>>24 & 0xF)), \
+  ('0' + ((n)>>20 & 0xF)), \
+  ('0' + ((n)>>16 & 0xF)), \
+  ('0' + ((n)>>12 & 0xF)), \
+  ('0' + ((n)>>8  & 0xF)), \
+  ('0' + ((n)>>4  & 0xF)), \
+  ('0' + ((n)     & 0xF))
+
+/* Construct a string literal encoding the version number. */
+#ifdef COMPILER_VERSION
+char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]";
+
+/* Construct a string literal encoding the version number components. */
+#elif defined(COMPILER_VERSION_MAJOR)
+char const info_version[] = {
+  'I', 'N', 'F', 'O', ':',
+  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[',
+  COMPILER_VERSION_MAJOR,
+# ifdef COMPILER_VERSION_MINOR
+  '.', COMPILER_VERSION_MINOR,
+#  ifdef COMPILER_VERSION_PATCH
+   '.', COMPILER_VERSION_PATCH,
+#   ifdef COMPILER_VERSION_TWEAK
+    '.', COMPILER_VERSION_TWEAK,
+#   endif
+#  endif
+# endif
+  ']','\0'};
+#endif
+
+/* Construct a string literal encoding the internal version number. */
+#ifdef COMPILER_VERSION_INTERNAL
+char const info_version_internal[] = {
+  'I', 'N', 'F', 'O', ':',
+  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_',
+  'i','n','t','e','r','n','a','l','[',
+  COMPILER_VERSION_INTERNAL,']','\0'};
+#elif defined(COMPILER_VERSION_INTERNAL_STR)
+char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]";
+#endif
+
+/* Construct a string literal encoding the version number components. */
+#ifdef SIMULATE_VERSION_MAJOR
+char const info_simulate_version[] = {
+  'I', 'N', 'F', 'O', ':',
+  's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[',
+  SIMULATE_VERSION_MAJOR,
+# ifdef SIMULATE_VERSION_MINOR
+  '.', SIMULATE_VERSION_MINOR,
+#  ifdef SIMULATE_VERSION_PATCH
+   '.', SIMULATE_VERSION_PATCH,
+#   ifdef SIMULATE_VERSION_TWEAK
+    '.', SIMULATE_VERSION_TWEAK,
+#   endif
+#  endif
+# endif
+  ']','\0'};
+#endif
+
+/* Construct the string literal in pieces to prevent the source from
+   getting matched.  Store it in a pointer rather than an array
+   because some compilers will just produce instructions to fill the
+   array rather than assigning a pointer to a static array.  */
+char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]";
+char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]";
+
+
+
+#if defined(__INTEL_COMPILER) && defined(_MSVC_LANG) && _MSVC_LANG < 201403L
+#  if defined(__INTEL_CXX11_MODE__)
+#    if defined(__cpp_aggregate_nsdmi)
+#      define CXX_STD 201402L
+#    else
+#      define CXX_STD 201103L
+#    endif
+#  else
+#    define CXX_STD 199711L
+#  endif
+#elif defined(_MSC_VER) && defined(_MSVC_LANG)
+#  define CXX_STD _MSVC_LANG
+#else
+#  define CXX_STD __cplusplus
+#endif
+
+const char* info_language_standard_default = "INFO" ":" "standard_default["
+#if CXX_STD > 202002L
+  "23"
+#elif CXX_STD > 201703L
+  "20"
+#elif CXX_STD >= 201703L
+  "17"
+#elif CXX_STD >= 201402L
+  "14"
+#elif CXX_STD >= 201103L
+  "11"
+#else
+  "98"
+#endif
+"]";
+
+const char* info_language_extensions_default = "INFO" ":" "extensions_default["
+#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) ||           \
+     defined(__TI_COMPILER_VERSION__)) &&                                     \
+  !defined(__STRICT_ANSI__)
+  "ON"
+#else
+  "OFF"
+#endif
+"]";
+
+/*--------------------------------------------------------------------------*/
+
+int main(int argc, char* argv[])
+{
+  int require = 0;
+  require += info_compiler[argc];
+  require += info_platform[argc];
+  require += info_arch[argc];
+#ifdef COMPILER_VERSION_MAJOR
+  require += info_version[argc];
+#endif
+#ifdef COMPILER_VERSION_INTERNAL
+  require += info_version_internal[argc];
+#endif
+#ifdef SIMULATE_ID
+  require += info_simulate[argc];
+#endif
+#ifdef SIMULATE_VERSION_MAJOR
+  require += info_simulate_version[argc];
+#endif
+#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
+  require += info_cray[argc];
+#endif
+  require += info_language_standard_default[argc];
+  require += info_language_extensions_default[argc];
+  (void)argv;
+  return require;
+}
diff --git a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
new file mode 100644
index 000000000000..353c44960b88
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
@@ -0,0 +1,451 @@
+
+---
+events:
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineSystem.cmake:204 (message)"
+      - "CMakeLists.txt"
+    message: |
+      The system is: Linux - 5.18.13-200.fc36.aarch64 - aarch64
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCCompiler.cmake:123 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the C compiler identification source file "CMakeCCompilerId.c" succeeded.
+      Compiler: /usr/bin/cc 
+      Build flags: 
+      Id flags:  
+      
+      The output was:
+      0
+      
+      
+      Compilation of the C compiler identification source "CMakeCCompilerId.c" produced "a.out"
+      
+      The C compiler identification is GNU, found in:
+        /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags:  
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: -c 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --c++ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --ec++ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: -c;-I__does_not_exist__ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags:  
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: -c 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --c++ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --ec++ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
+      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
+      - "CMakeLists.txt"
+    message: |
+      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
+      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
+      Build flags: 
+      Id flags: -c;-I__does_not_exist__ 
+      
+      The output was:
+      No such file or directory
+      
+      
+  -
+    kind: "try_compile-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:57 (try_compile)"
+      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
+      - "CMakeLists.txt"
+    checks:
+      - "Detecting C compiler ABI info"
+    directories:
+      source: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C"
+      binary: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C"
+    cmakeVariables:
+      CMAKE_C_FLAGS: ""
+    buildResult:
+      variable: "CMAKE_C_ABI_COMPILED"
+      cached: true
+      stdout: |
+        Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C
+        
+        Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake  -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build
+        gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'
+        Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o
+        /usr/bin/cc   -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c
+        Using built-in specs.
+        COLLECT_GCC=/usr/bin/cc
+        Target: aarch64-redhat-linux
+        Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1
+        Thread model: posix
+        Supported LTO compression algorithms: zlib zstd
+        gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) 
+        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'
+         /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s
+        GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)
+        	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP
+        
+        GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
+        ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"
+        ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"
+        #include "..." search starts here:
+        #include <...> search starts here:
+         /usr/lib/gcc/aarch64-redhat-linux/12/include
+         /usr/local/include
+         /usr/include
+        End of search list.
+        GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)
+        	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP
+        
+        GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
+        Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454
+        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'
+         as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s
+        GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36
+        COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/
+        LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/
+        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.'
+        Linking C executable cmTC_cf024
+        /usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1
+        /usr/bin/cc  -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 
+        Using built-in specs.
+        COLLECT_GCC=/usr/bin/cc
+        COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper
+        Target: aarch64-redhat-linux
+        Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1
+        Thread model: posix
+        Supported LTO compression algorithms: zlib zstd
+        gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) 
+        COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/
+        LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/
+        COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'
+         /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o
+        COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'
+        gmake[1]: Leaving directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'
+        
+      exitCode: 0
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:127 (message)"
+      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
+      - "CMakeLists.txt"
+    message: |
+      Parsed C implicit include dir info: rv=done
+        found start of include info
+        found start of implicit include info
+          add: [/usr/lib/gcc/aarch64-redhat-linux/12/include]
+          add: [/usr/local/include]
+          add: [/usr/include]
+        end of search list found
+        collapse include dir [/usr/lib/gcc/aarch64-redhat-linux/12/include] ==> [/usr/lib/gcc/aarch64-redhat-linux/12/include]
+        collapse include dir [/usr/local/include] ==> [/usr/local/include]
+        collapse include dir [/usr/include] ==> [/usr/include]
+        implicit include dirs: [/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include]
+      
+      
+  -
+    kind: "message-v1"
+    backtrace:
+      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:152 (message)"
+      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
+      - "CMakeLists.txt"
+    message: |
+      Parsed C implicit link information:
+        link line regex: [^( *|.*[/\\])(ld|CMAKE_LINK_STARTFILE-NOTFOUND|([^/\\]+-)?ld|collect2)[^/\\]*( |$)]
+        ignore line: [Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C]
+        ignore line: []
+        ignore line: [Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake  -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build]
+        ignore line: [gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C']
+        ignore line: [Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o]
+        ignore line: [/usr/bin/cc   -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c]
+        ignore line: [Using built-in specs.]
+        ignore line: [COLLECT_GCC=/usr/bin/cc]
+        ignore line: [Target: aarch64-redhat-linux]
+        ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1]
+        ignore line: [Thread model: posix]
+        ignore line: [Supported LTO compression algorithms: zlib zstd]
+        ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ]
+        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/']
+        ignore line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s]
+        ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)]
+        ignore line: [	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1)  GMP version 6.2.1  MPFR version 4.1.0-p13  MPC version 1.2.1  isl version isl-0.18-GMP]
+        ignore line: []
+        ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072]
+        ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"]
+        ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"]
+        ignore line: [#include "..." search starts here:]
+        ignore line: [#include <...> search starts here:]
+        ignore line: [ /usr/lib/gcc/aarch64-redhat-linux/12/include]
+        ignore line: [ /usr/local/include]
+        ignore line: [ /usr/include]
+        ignore line: [End of search list.]
+        ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)]
+        ignore line: [	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1)  GMP version 6.2.1  MPFR version 4.1.0-p13  MPC version 1.2.1  isl version isl-0.18-GMP]
+        ignore line: []
+        ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072]
+        ignore line: [Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454]
+        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/']
+        ignore line: [ as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s]
+        ignore line: [GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36]
+        ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/]
+        ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/]
+        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.']
+        ignore line: [Linking C executable cmTC_cf024]
+        ignore line: [/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1]
+        ignore line: [/usr/bin/cc  -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 ]
+        ignore line: [Using built-in specs.]
+        ignore line: [COLLECT_GCC=/usr/bin/cc]
+        ignore line: [COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper]
+        ignore line: [Target: aarch64-redhat-linux]
+        ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1]
+        ignore line: [Thread model: posix]
+        ignore line: [Supported LTO compression algorithms: zlib zstd]
+        ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ]
+        ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/]
+        ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/]
+        ignore line: [COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.']
+        link line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o]
+          arg [/usr/libexec/gcc/aarch64-redhat-linux/12/collect2] ==> ignore
+          arg [-plugin] ==> ignore
+          arg [/usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so] ==> ignore
+          arg [-plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] ==> ignore
+          arg [-plugin-opt=-fresolution=/tmp/cchKwJNt.res] ==> ignore
+          arg [-plugin-opt=-pass-through=-lgcc] ==> ignore
+          arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore
+          arg [-plugin-opt=-pass-through=-lc] ==> ignore
+          arg [-plugin-opt=-pass-through=-lgcc] ==> ignore
+          arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore
+          arg [--build-id] ==> ignore
+          arg [--no-add-needed] ==> ignore
+          arg [--eh-frame-hdr] ==> ignore
+          arg [--hash-style=gnu] ==> ignore
+          arg [-export-dynamic] ==> ignore
+          arg [-dynamic-linker] ==> ignore
+          arg [/lib/ld-linux-aarch64.so.1] ==> ignore
+          arg [-X] ==> ignore
+          arg [-EL] ==> ignore
+          arg [-maarch64linux] ==> ignore
+          arg [-o] ==> ignore
+          arg [cmTC_cf024] ==> ignore
+          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o]
+          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o]
+          arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o]
+          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12]
+          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64]
+          arg [-L/lib/../lib64] ==> dir [/lib/../lib64]
+          arg [-L/usr/lib/../lib64] ==> dir [/usr/lib/../lib64]
+          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..]
+          arg [CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] ==> ignore
+          arg [-lgcc] ==> lib [gcc]
+          arg [--push-state] ==> ignore
+          arg [--as-needed] ==> ignore
+          arg [-lgcc_s] ==> lib [gcc_s]
+          arg [--pop-state] ==> ignore
+          arg [-lc] ==> lib [c]
+          arg [-lgcc] ==> lib [gcc]
+          arg [--push-state] ==> ignore
+          arg [--as-needed] ==> ignore
+          arg [-lgcc_s] ==> lib [gcc_s]
+          arg [--pop-state] ==> ignore
+          arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o]
+          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o]
+        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> [/usr/lib64/crt1.o]
+        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> [/usr/lib64/crti.o]
+        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> [/usr/lib64/crtn.o]
+        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12] ==> [/usr/lib/gcc/aarch64-redhat-linux/12]
+        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> [/usr/lib64]
+        collapse library dir [/lib/../lib64] ==> [/lib64]
+        collapse library dir [/usr/lib/../lib64] ==> [/usr/lib64]
+        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> [/usr/lib]
+        implicit libs: [gcc;gcc_s;c;gcc;gcc_s]
+        implicit objs: [/usr/lib64/crt1.o;/usr/lib64/crti.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o;/usr/lib64/crtn.o]
+        implicit dirs: [/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib]
+        implicit fwks: []
+      
+      
+...
diff --git a/products/bascontrol22d4/CMakeFiles/cmake.check_cache b/products/bascontrol22d4/CMakeFiles/cmake.check_cache
new file mode 100644
index 000000000000..3dccd731726d
--- /dev/null
+++ b/products/bascontrol22d4/CMakeFiles/cmake.check_cache
@@ -0,0 +1 @@
+# This file is generated by cmake for dependency checking of the CMakeCache.txt file
diff --git a/products/bascontrol22d4/CMakeLists.txt b/products/bascontrol22d4/CMakeLists.txt
new file mode 100644
index 000000000000..53f23a29ba13
--- /dev/null
+++ b/products/bascontrol22d4/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd bascontrol22d4; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("bascontrol22d4")
diff --git a/products/bascontrol22d4/product.yml b/products/bascontrol22d4/product.yml
new file mode 100644
index 000000000000..f0acfc6162dd
--- /dev/null
+++ b/products/bascontrol22d4/product.yml
@@ -0,0 +1,17 @@
+product: bascontrol22d4
+full_name: Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4
+type: product
+
+benchmark_id: BASCONTROL22D-4
+benchmark_root: "./guide"
+
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  bascontrol22d4:
+    name: "cpe:/o:bascontrol22d:4"
+    title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4"
+    check_id: installed_app_is_bascontrol22d4
diff --git a/products/bascontrol22d4/profiles/standard.profile b/products/bascontrol22d4/profiles/standard.profile
new file mode 100644
index 000000000000..1cc540965a81
--- /dev/null
+++ b/products/bascontrol22d4/profiles/standard.profile
@@ -0,0 +1,10 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system.
+
+selections:
+    - firefox_policy-addons_permission
diff --git a/shared/applicability/oval/installed_app_is_bascontrol22d4.xml b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml
new file mode 100644
index 000000000000..bef7e8324fea
--- /dev/null
+++ b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml
@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_app_is_bascontrol22d" version="4">
+    <metadata>
+      <title>Mozilla Firefox
+      
+        Mozilla Firefox
+      
+      
+      The application installed on the system is firefox.
+       
+    
+      
+      
+    
+  
+
+  
+    
+  
+  
+    firefox
+  
+
+
diff --git a/ssg/constants.py b/ssg/constants.py
index 624e2571cade..c9c1d83d3c9f 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -43,6 +43,7 @@
     'anolis8',
     'anolis23',
     'al2023',
+    'bascontrol22d4',
     'debian11', 'debian12', 'debian13',
     'example',
     'eks',
@@ -213,6 +214,7 @@
     "Anolis OS 8": "anolis8",
     "Anolis OS 23": "anolis23",
     "Amazon Linux 2023": "al2023",
+    "Contemporary Controls BAScontrol22D 4": "bascontrol33d4",
     "Debian 11": "debian11",
     "Debian 12": "debian12",
     "Debian 13": "debian13",
@@ -287,17 +289,15 @@
     )
 )
 
-
-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
-                       "openeuler", "kylinserver",
-                       "opensuse", "sle", "tencentos", "ol", "ocp", "rhcos",
-                       "example", "eks", "alinux", "anolis", "openembedded", "al",
-                       "slmicro", "almalinux"]
+MULTI_PLATFORM_LIST = ["al", "alinux", "almalinux", "anolis", "bascontrol22d", "debian", "eks",
+                       "example", "fedora", "kylinserver", "ocp", "ol", "openembedded", "openeuler",
+                       "opensuse", "rhcos", "rhel", "rhv", "sle", "slmicro", "tencentos", "ubuntu"]
 
 MULTI_PLATFORM_MAPPING = {
     "multi_platform_alinux": ["alinux2", "alinux3"],
     "multi_platform_almalinux": ["almalinux9"],
     "multi_platform_anolis": ["anolis8", "anolis23"],
+    "multi_platform_bascontrol22d": ["bascontrol22d4"],
     "multi_platform_debian": ["debian11", "debian12", "debian13"],
     "multi_platform_example": ["example"],
     "multi_platform_eks": ["eks"],
@@ -429,6 +429,7 @@
     'kylinserver': 'Kylin Server',
     'rhel': 'Red Hat Enterprise Linux',
     'rhv': 'Red Hat Virtualization',
+    'bascontrol22d': 'Contemporary Controls BAScontrol22D',
     'debian': 'Debian',
     'ubuntu': 'Ubuntu',
     'eap': 'JBoss Enterprise Application Platform',

From 3e1e42bf396d0ad3fbccbb6c4aaf83fe8920b300 Mon Sep 17 00:00:00 2001
From: cealcorn 
Date: Tue, 3 Feb 2026 20:29:08 -0800
Subject: [PATCH 262/265] Add products/bascontroll22d4/CMakeFiles/ to
 .gitignore

---
 .gitignore | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitignore b/.gitignore
index 7e03e62a5433..ce5a7ad30cba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -82,6 +82,10 @@ coverage.xml
 
 # Trestle specfic
 shared/references/oscal/.trestle/cache
+<<<<<<< HEAD
 
 # Ignore user-specific CLAUDE preferences
 CLAUDE.local.md
+
+# Ignore BAS CMakeFiles
+products/bascontrol22d4/CMakeFiles/

From 6c47b48ec21a3301956692a49088de098e5aca3d Mon Sep 17 00:00:00 2001
From: cealcorn 
Date: Tue, 3 Feb 2026 20:30:18 -0800
Subject: [PATCH 263/265] Remove products/bascontrols22d4/CMakeFiles/ from repo

---
 .../CMakeFiles/3.26.3/CMakeCCompiler.cmake    |  72 --
 .../3.26.3/CMakeDetermineCompilerABI_C.bin    | Bin 80488 -> 0 bytes
 .../CMakeFiles/3.26.3/CMakeSystem.cmake       |  15 -
 .../3.26.3/CompilerIdC/CMakeCCompilerId.c     | 866 ------------------
 .../CMakeFiles/3.26.3/CompilerIdC/a.out       | Bin 80632 -> 0 bytes
 .../CompilerIdCXX/CMakeCXXCompilerId.cpp      | 855 -----------------
 .../CMakeFiles/CMakeConfigureLog.yaml         | 451 ---------
 .../CMakeFiles/cmake.check_cache              |   1 -
 8 files changed, 2260 deletions(-)
 delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
 delete mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin
 delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CMakeSystem.cmake
 delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/CMakeCCompilerId.c
 delete mode 100755 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
 delete mode 100644 products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
 delete mode 100644 products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
 delete mode 100644 products/bascontrol22d4/CMakeFiles/cmake.check_cache

diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
deleted file mode 100644
index 9db2d954e33a..000000000000
--- a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeCCompiler.cmake
+++ /dev/null
@@ -1,72 +0,0 @@
-set(CMAKE_C_COMPILER "/usr/bin/cc")
-set(CMAKE_C_COMPILER_ARG1 "")
-set(CMAKE_C_COMPILER_ID "GNU")
-set(CMAKE_C_COMPILER_VERSION "12.1.1")
-set(CMAKE_C_COMPILER_VERSION_INTERNAL "")
-set(CMAKE_C_COMPILER_WRAPPER "")
-set(CMAKE_C_STANDARD_COMPUTED_DEFAULT "17")
-set(CMAKE_C_EXTENSIONS_COMPUTED_DEFAULT "ON")
-set(CMAKE_C_COMPILE_FEATURES "c_std_90;c_function_prototypes;c_std_99;c_restrict;c_variadic_macros;c_std_11;c_static_assert;c_std_17;c_std_23")
-set(CMAKE_C90_COMPILE_FEATURES "c_std_90;c_function_prototypes")
-set(CMAKE_C99_COMPILE_FEATURES "c_std_99;c_restrict;c_variadic_macros")
-set(CMAKE_C11_COMPILE_FEATURES "c_std_11;c_static_assert")
-set(CMAKE_C17_COMPILE_FEATURES "c_std_17")
-set(CMAKE_C23_COMPILE_FEATURES "c_std_23")
-
-set(CMAKE_C_PLATFORM_ID "Linux")
-set(CMAKE_C_SIMULATE_ID "")
-set(CMAKE_C_COMPILER_FRONTEND_VARIANT "GNU")
-set(CMAKE_C_SIMULATE_VERSION "")
-
-
-
-
-set(CMAKE_AR "/usr/bin/ar")
-set(CMAKE_C_COMPILER_AR "/usr/bin/gcc-ar")
-set(CMAKE_RANLIB "/usr/bin/ranlib")
-set(CMAKE_C_COMPILER_RANLIB "/usr/bin/gcc-ranlib")
-set(CMAKE_LINKER "/usr/bin/ld")
-set(CMAKE_MT "")
-set(CMAKE_COMPILER_IS_GNUCC 1)
-set(CMAKE_C_COMPILER_LOADED 1)
-set(CMAKE_C_COMPILER_WORKS TRUE)
-set(CMAKE_C_ABI_COMPILED TRUE)
-
-set(CMAKE_C_COMPILER_ENV_VAR "CC")
-
-set(CMAKE_C_COMPILER_ID_RUN 1)
-set(CMAKE_C_SOURCE_FILE_EXTENSIONS c;m)
-set(CMAKE_C_IGNORE_EXTENSIONS h;H;o;O;obj;OBJ;def;DEF;rc;RC)
-set(CMAKE_C_LINKER_PREFERENCE 10)
-
-# Save compiler ABI information.
-set(CMAKE_C_SIZEOF_DATA_PTR "8")
-set(CMAKE_C_COMPILER_ABI "ELF")
-set(CMAKE_C_BYTE_ORDER "LITTLE_ENDIAN")
-set(CMAKE_C_LIBRARY_ARCHITECTURE "")
-
-if(CMAKE_C_SIZEOF_DATA_PTR)
-  set(CMAKE_SIZEOF_VOID_P "${CMAKE_C_SIZEOF_DATA_PTR}")
-endif()
-
-if(CMAKE_C_COMPILER_ABI)
-  set(CMAKE_INTERNAL_PLATFORM_ABI "${CMAKE_C_COMPILER_ABI}")
-endif()
-
-if(CMAKE_C_LIBRARY_ARCHITECTURE)
-  set(CMAKE_LIBRARY_ARCHITECTURE "")
-endif()
-
-set(CMAKE_C_CL_SHOWINCLUDES_PREFIX "")
-if(CMAKE_C_CL_SHOWINCLUDES_PREFIX)
-  set(CMAKE_CL_SHOWINCLUDES_PREFIX "${CMAKE_C_CL_SHOWINCLUDES_PREFIX}")
-endif()
-
-
-
-
-
-set(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include")
-set(CMAKE_C_IMPLICIT_LINK_LIBRARIES "gcc;gcc_s;c;gcc;gcc_s")
-set(CMAKE_C_IMPLICIT_LINK_DIRECTORIES "/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib")
-set(CMAKE_C_IMPLICIT_LINK_FRAMEWORK_DIRECTORIES "")
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin b/products/bascontrol22d4/CMakeFiles/3.26.3/CMakeDetermineCompilerABI_C.bin
deleted file mode 100755
index df1625832f344f4ea52f49e2bf1d3d149e4684b9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 80488
zcmeI3eQX@Zb->@onyJI-B@l$TS^Js$ge$4C6We-syv`d04%w6lJ&aI6^1Uk
zGPBh!vIKWD>Ob{$an-F~TurMC%hT0kea*>HzHf^vqBK;7Wt89Vp&#}0&89|ecuuz$#id#IpC!-3y9)X2
zy9&7zg?w>x>V##LhsW+bovM^lZSJ`DV0@b6-of`l?CpD(zjkWt9V1U)`N72H`@iy&
zueOcQ7^x2wk8CKBeS^xmc^VHjPrA9r83U4ceqwW7U3zo9VNe}SwHn7?pI+?fe(~oY
z+S2*b*I)hPk8D44Y1=nnzW>0p?|t>!$?T8*?Z$`CAH4Y3(;s;#bN7>1o9nMW@QX{+
z=o*@+Kf6O}j-oCZqW@@w{ub1S#rbN4{RrwCp&8rgz}$NJAZ8n39~=zmKdkl50sUpA
zuZ>edeG=mY?d=HrPousGcES8+19R@2l6)Aq-LL~E#h@bGt^Nai2_^ME*w3A)C;Mg{
zhx$k99^At0&!V2%UC{Qok};+~#Vw2vm?o~oVYA{`Wyc)1@SVC
zaokg4xQEdHs6Vocq2+BTdH=pN_gUOk67YSkyQ0c*c$thb&99}EjNuNccXd_1;nCB6
z$!Wo(_aBGdbsNVxF*ZiIS+7shd*d{E^mHuXbkEVmi>r@*>r1N%m^%*e0bjnEFjihU3UjYx``Fwp%paUfU|k(|L?Yekl?AGT=DW
z7z6f40KWUS-#+%k^!7jesR$~Rv1rS@EY-&Fj5wGCEo!FU(S
z#(QP}-u+|jdlF{OT`0qQeznb5S$*_7RkqBJ#`7=O|Fw_74;FU8^EVT)vUV7r2V@bO
zIXbtnYv%dn*oAh~A6qzVpgy*3LD$2=(Yc#g4^!4uX#Itj4eMhIEs^o5E$q`AG4igF
z;QFBT?@j%KJws=|d;w96$s_h7ld!|WaG?(Z5*gQ{14*=ff%
zOJzKEJUGyw$qaOx-Gg2I=|Qwm^;S0jAYMO_L+n7}ce_y1x$5fb+S>b3E~A`4+5E=Z
z+7l@IP}1@536#&FypHk)%6XKyrd4XxGWN(hsGB+zJFxw*+LxPApTT(Qc$;oGMCaE#
zaGOCLUvrQv`BOihKz%DIFp=&&Zl7m=%(viHz-=CNxRwFZC(=8UpR4X9zU1qLJy8H!QuigL8#Iol8KW*SSJ>Hn
zXOi#e9em$AlWiwcZK<~8$<~u6Ti@M!SMnX_>|C548gwUIAiJh|A
z0Q7phTgxz;K3(_z4QzN_KI566U|YOaujw@#*472xM)L+X9EW9C9Ij&-X2X4bc7r~1
zU%#jOL+ji(u8FqRyY57#?l;RMs#J1W*Ow=Y#e8uzIXXNXoGeIcQ#~*BRD6X?q(+~-vy|J&&wC3iluWve(m
z<{8VGoIPSq7928>IhHw={aE&6IabTD8n2V&d`u@rO6uGx=VQ6%l4~w~y(`z%?vX*R
ztJSel?w#b`N$#EG-bwDA|L?O*e%{YA>A#MX=hf-A{_|>{Tb44%HSZDL
z^6w-J{oaY+(a9XYb?2Dgm(jb$n0qf7`i?6&-~7(Y^*I*${!PaVUF+CfWJ=&ej`p}w
zQ=fo1WJ2``m?ZEHf{d%O&?|nTL3D^nz-r1vu1iopV*YA=2`bOy6Vt7?5pMWNq4b|@k
z{?5bel)$&O{C$UCzX!s;KS;o>a9w|o;kVxl{GEnhzYm(B!>dyH1Zoe4>Z@<7eLe};
z56OT%E_tYfU#j=UUSsw0m)`6KIMZ_mdgFUKpm)C;X@buOxT)`7;yZxPh1`Z~zaREA
z`^S|cgAn^3tq=Bx_6Z
z9DcpoALnxs_Fs$8bDU>(`s2J1VgK(DdX6)&#~&vVN2rnWQhWS4sO^o={b)b@(*b|{
z)7qY|H`FBJzk4@qcR$=w?~hZ6u>Vwqp2vG*t3S?PM%cd)q31Y{H~QoJM}+-e`XD8e
z=YDA2>yL9P!ak$*LC%kAeUK*~_k#9r|C``y;Q00o#@Xoj8I1oIXdlPpC+qje)R^Y@)@6pmAS9&bha7}V-{-sc1J?&@pL
zze5-&Y&|fCg#d?P)$T4>*7`%bqaW4!X5DU5>o044yVmd2dS18u{hn59ZcWg>)nJv9
zf4*Tqo8aDn{a>keYxNW?Y`ot<`*_Ip*mrdQgX`h@%6z{;HS#I_Bv__^>o!9
zynaj6(>(5j;C0R}rLVp2`W@8A@yoN|^{3l@?e*tzwBJol2T~vElK~wSpHlkT>$e>0
z8$IisUCXF%!s}IDC;UC{C$)WWTpv^VeKpsCpNO#kthNtcPyQL|liUf9{0i#B#`|}u
zr+)HvwVDp}doLc(X7zV`0G_KP~~4iewzRI4qx81I+FQX_k+Ou%?%;WAkY!wRT
z!?tzN94V5nNV>9NrjJPq#m%(=<&@o9ANluTMNKGV*#)~gxJAD2tMI8rjR(}0bXNPGX%Z@rq8tTcFc`|kCG?@LFv*!9VU__dPjFqKMnb}H3
z`TEBQz4(ukRxaLQoXIm@xM6^@feW|GQv!NTZxsaW;5vZb<9ZMy9)Y?zFCI>fq?
zqLZ@6^vWB{p)Z$Q4|fT=9-PO()_5LIS)+6w!hb2%fEx_SKnnMSaa`bTztqrDmgAK3
z*+~cYp8uspzjun^Mz?X4+T#WZlu7{q9?C7bwwxz<6gT>f5&QG=&5TyGkdY_xbq1@{
zPe8E1{`{O{N-L6VsAbT<3-$krze!^Mr{adPd`c@WsM7lTM7}Q7Y8b@KHr&{MIc{JH
z@cF6|aGl^_qTgFkmi?PaiRt%o!&{iDKmYFQn(pXpWaLRYTvbEQx$wsp)&BEy+ArYs
z5T&=f0(7z34)^yW*3)mcxXjOU=e0wt_7C=7tAU=UQCHa?HW_XeIbiB@MYa9l_#el5
z^6$`g{Cv1C#Gjti2mSvDb;LxQSFht|wSs?dr^BnZI8XB9xOx5gdGmAH|6Z>#=GAYI
zJh~?X{?K5!wfcv1R{|5JYh4@s|1@si_WAks6+KX1C+tA1yy+P%kU#V1>+yN*|B%-h
z^UROcU&M^ppYNyo^bh;G*ig%0`+pPg=jZ0L+W+qZ{=xRIVLjc$(mp_mpRX^jy5*of
zmsx%f&FFVj?9b2Pm)@lR4fLg{W`BNOzpVY|_5AVr;&yo*+(ch8VSj$Ee_cOOPhy=n
zu|Lb#vC`|$&;J*-Kkt7WgZ)_kBH+*WbNl99SloZU-#Yjv{r^kH
z4EB@#Q`MH-47blRff?FWX0#pOHxB6b_vi;Ac;~26aQ#snUi;cai3^9^7RIzA9S8mZ
pH|ECs6)jU9yK>b3t{>Mu>24 & 0x00FF)
-# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF)
-# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__     & 0xFFFF)
-
-#elif defined(__BORLANDC__)
-# define COMPILER_ID "Borland"
-  /* __BORLANDC__ = 0xVRR */
-# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8)
-# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF)
-
-#elif defined(__WATCOMC__) && __WATCOMC__ < 1200
-# define COMPILER_ID "Watcom"
-   /* __WATCOMC__ = VVRR */
-# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100)
-# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
-# if (__WATCOMC__ % 10) > 0
-#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
-# endif
-
-#elif defined(__WATCOMC__)
-# define COMPILER_ID "OpenWatcom"
-   /* __WATCOMC__ = VVRP + 1100 */
-# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100)
-# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
-# if (__WATCOMC__ % 10) > 0
-#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
-# endif
-
-#elif defined(__SUNPRO_C)
-# define COMPILER_ID "SunPro"
-# if __SUNPRO_C >= 0x5100
-   /* __SUNPRO_C = 0xVRRP */
-#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>12)
-#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xFF)
-#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_C    & 0xF)
-# else
-   /* __SUNPRO_CC = 0xVRP */
-#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_C>>8)
-#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_C>>4 & 0xF)
-#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_C    & 0xF)
-# endif
-
-#elif defined(__HP_cc)
-# define COMPILER_ID "HP"
-  /* __HP_cc = VVRRPP */
-# define COMPILER_VERSION_MAJOR DEC(__HP_cc/10000)
-# define COMPILER_VERSION_MINOR DEC(__HP_cc/100 % 100)
-# define COMPILER_VERSION_PATCH DEC(__HP_cc     % 100)
-
-#elif defined(__DECC)
-# define COMPILER_ID "Compaq"
-  /* __DECC_VER = VVRRTPPPP */
-# define COMPILER_VERSION_MAJOR DEC(__DECC_VER/10000000)
-# define COMPILER_VERSION_MINOR DEC(__DECC_VER/100000  % 100)
-# define COMPILER_VERSION_PATCH DEC(__DECC_VER         % 10000)
-
-#elif defined(__IBMC__) && defined(__COMPILER_VER__)
-# define COMPILER_ID "zOS"
-  /* __IBMC__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
-
-#elif defined(__open_xl__) && defined(__clang__)
-# define COMPILER_ID "IBMClang"
-# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__)
-# define COMPILER_VERSION_MINOR DEC(__open_xl_release__)
-# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__)
-# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__)
-
-
-#elif defined(__ibmxl__) && defined(__clang__)
-# define COMPILER_ID "XLClang"
-# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__)
-# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__)
-# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__)
-# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__)
-
-
-#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ >= 800
-# define COMPILER_ID "XL"
-  /* __IBMC__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
-
-#elif defined(__IBMC__) && !defined(__COMPILER_VER__) && __IBMC__ < 800
-# define COMPILER_ID "VisualAge"
-  /* __IBMC__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMC__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMC__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMC__    % 10)
-
-#elif defined(__NVCOMPILER)
-# define COMPILER_ID "NVHPC"
-# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__)
-# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__)
-# if defined(__NVCOMPILER_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__)
-# endif
-
-#elif defined(__PGI)
-# define COMPILER_ID "PGI"
-# define COMPILER_VERSION_MAJOR DEC(__PGIC__)
-# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__)
-# if defined(__PGIC_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__)
-# endif
-
-#elif defined(_CRAYC)
-# define COMPILER_ID "Cray"
-# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR)
-# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR)
-
-#elif defined(__TI_COMPILER_VERSION__)
-# define COMPILER_ID "TI"
-  /* __TI_COMPILER_VERSION__ = VVVRRRPPP */
-# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000)
-# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000   % 1000)
-# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__        % 1000)
-
-#elif defined(__CLANG_FUJITSU)
-# define COMPILER_ID "FujitsuClang"
-# define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
-# define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
-# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
-# define COMPILER_VERSION_INTERNAL_STR __clang_version__
-
-
-#elif defined(__FUJITSU)
-# define COMPILER_ID "Fujitsu"
-# if defined(__FCC_version__)
-#   define COMPILER_VERSION __FCC_version__
-# elif defined(__FCC_major__)
-#   define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
-#   define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
-#   define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
-# endif
-# if defined(__fcc_version)
-#   define COMPILER_VERSION_INTERNAL DEC(__fcc_version)
-# elif defined(__FCC_VERSION)
-#   define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION)
-# endif
-
-
-#elif defined(__ghs__)
-# define COMPILER_ID "GHS"
-/* __GHS_VERSION_NUMBER = VVVVRP */
-# ifdef __GHS_VERSION_NUMBER
-# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100)
-# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER      % 10)
-# endif
-
-#elif defined(__TASKING__)
-# define COMPILER_ID "Tasking"
-  # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000)
-  # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100)
-# define COMPILER_VERSION_INTERNAL DEC(__VERSION__)
-
-#elif defined(__TINYC__)
-# define COMPILER_ID "TinyCC"
-
-#elif defined(__BCC__)
-# define COMPILER_ID "Bruce"
-
-#elif defined(__SCO_VERSION__)
-# define COMPILER_ID "SCO"
-
-#elif defined(__ARMCC_VERSION) && !defined(__clang__)
-# define COMPILER_ID "ARMCC"
-#if __ARMCC_VERSION >= 1000000
-  /* __ARMCC_VERSION = VRRPPPP */
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION     % 10000)
-#else
-  /* __ARMCC_VERSION = VRPPPP */
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION    % 10000)
-#endif
-
-
-#elif defined(__clang__) && defined(__apple_build_version__)
-# define COMPILER_ID "AppleClang"
-# if defined(_MSC_VER)
-#  define SIMULATE_ID "MSVC"
-# endif
-# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
-# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
-# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
-# if defined(_MSC_VER)
-   /* _MSC_VER = VVRR */
-#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-# endif
-# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__)
-
-#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION)
-# define COMPILER_ID "ARMClang"
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION     % 10000)
-# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION)
-
-#elif defined(__clang__)
-# define COMPILER_ID "Clang"
-# if defined(_MSC_VER)
-#  define SIMULATE_ID "MSVC"
-# endif
-# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
-# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
-# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
-# if defined(_MSC_VER)
-   /* _MSC_VER = VVRR */
-#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-# endif
-
-#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__))
-# define COMPILER_ID "LCC"
-# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100)
-# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100)
-# if defined(__LCC_MINOR__)
-#  define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__)
-# endif
-# if defined(__GNUC__) && defined(__GNUC_MINOR__)
-#  define SIMULATE_ID "GNU"
-#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
-#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
-#  if defined(__GNUC_PATCHLEVEL__)
-#   define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-#  endif
-# endif
-
-#elif defined(__GNUC__)
-# define COMPILER_ID "GNU"
-# define COMPILER_VERSION_MAJOR DEC(__GNUC__)
-# if defined(__GNUC_MINOR__)
-#  define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__)
-# endif
-# if defined(__GNUC_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-# endif
-
-#elif defined(_MSC_VER)
-# define COMPILER_ID "MSVC"
-  /* _MSC_VER = VVRR */
-# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100)
-# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100)
-# if defined(_MSC_FULL_VER)
-#  if _MSC_VER >= 1400
-    /* _MSC_FULL_VER = VVRRPPPPP */
-#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000)
-#  else
-    /* _MSC_FULL_VER = VVRRPPPP */
-#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000)
-#  endif
-# endif
-# if defined(_MSC_BUILD)
-#  define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD)
-# endif
-
-#elif defined(_ADI_COMPILER)
-# define COMPILER_ID "ADSP"
-#if defined(__VERSIONNUM__)
-  /* __VERSIONNUM__ = 0xVVRRPPTT */
-#  define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF)
-#  define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF)
-#  define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF)
-#  define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF)
-#endif
-
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
-# define COMPILER_ID "IAR"
-# if defined(__VER__) && defined(__ICCARM__)
-#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000)
-#  define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000)
-#  define COMPILER_VERSION_PATCH DEC((__VER__) % 1000)
-#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
-# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__))
-#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 100)
-#  define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100))
-#  define COMPILER_VERSION_PATCH DEC(__SUBVERSION__)
-#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
-# endif
-
-#elif defined(__SDCC_VERSION_MAJOR) || defined(SDCC)
-# define COMPILER_ID "SDCC"
-# if defined(__SDCC_VERSION_MAJOR)
-#  define COMPILER_VERSION_MAJOR DEC(__SDCC_VERSION_MAJOR)
-#  define COMPILER_VERSION_MINOR DEC(__SDCC_VERSION_MINOR)
-#  define COMPILER_VERSION_PATCH DEC(__SDCC_VERSION_PATCH)
-# else
-  /* SDCC = VRP */
-#  define COMPILER_VERSION_MAJOR DEC(SDCC/100)
-#  define COMPILER_VERSION_MINOR DEC(SDCC/10 % 10)
-#  define COMPILER_VERSION_PATCH DEC(SDCC    % 10)
-# endif
-
-
-/* These compilers are either not known or too old to define an
-  identification macro.  Try to identify the platform and guess that
-  it is the native compiler.  */
-#elif defined(__hpux) || defined(__hpua)
-# define COMPILER_ID "HP"
-
-#else /* unknown compiler */
-# define COMPILER_ID ""
-#endif
-
-/* Construct the string literal in pieces to prevent the source from
-   getting matched.  Store it in a pointer rather than an array
-   because some compilers will just produce instructions to fill the
-   array rather than assigning a pointer to a static array.  */
-char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]";
-#ifdef SIMULATE_ID
-char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]";
-#endif
-
-#ifdef __QNXNTO__
-char const* qnxnto = "INFO" ":" "qnxnto[]";
-#endif
-
-#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
-char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]";
-#endif
-
-#define STRINGIFY_HELPER(X) #X
-#define STRINGIFY(X) STRINGIFY_HELPER(X)
-
-/* Identify known platforms by name.  */
-#if defined(__linux) || defined(__linux__) || defined(linux)
-# define PLATFORM_ID "Linux"
-
-#elif defined(__MSYS__)
-# define PLATFORM_ID "MSYS"
-
-#elif defined(__CYGWIN__)
-# define PLATFORM_ID "Cygwin"
-
-#elif defined(__MINGW32__)
-# define PLATFORM_ID "MinGW"
-
-#elif defined(__APPLE__)
-# define PLATFORM_ID "Darwin"
-
-#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
-# define PLATFORM_ID "Windows"
-
-#elif defined(__FreeBSD__) || defined(__FreeBSD)
-# define PLATFORM_ID "FreeBSD"
-
-#elif defined(__NetBSD__) || defined(__NetBSD)
-# define PLATFORM_ID "NetBSD"
-
-#elif defined(__OpenBSD__) || defined(__OPENBSD)
-# define PLATFORM_ID "OpenBSD"
-
-#elif defined(__sun) || defined(sun)
-# define PLATFORM_ID "SunOS"
-
-#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__)
-# define PLATFORM_ID "AIX"
-
-#elif defined(__hpux) || defined(__hpux__)
-# define PLATFORM_ID "HP-UX"
-
-#elif defined(__HAIKU__)
-# define PLATFORM_ID "Haiku"
-
-#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS)
-# define PLATFORM_ID "BeOS"
-
-#elif defined(__QNX__) || defined(__QNXNTO__)
-# define PLATFORM_ID "QNX"
-
-#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__)
-# define PLATFORM_ID "Tru64"
-
-#elif defined(__riscos) || defined(__riscos__)
-# define PLATFORM_ID "RISCos"
-
-#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__)
-# define PLATFORM_ID "SINIX"
-
-#elif defined(__UNIX_SV__)
-# define PLATFORM_ID "UNIX_SV"
-
-#elif defined(__bsdos__)
-# define PLATFORM_ID "BSDOS"
-
-#elif defined(_MPRAS) || defined(MPRAS)
-# define PLATFORM_ID "MP-RAS"
-
-#elif defined(__osf) || defined(__osf__)
-# define PLATFORM_ID "OSF1"
-
-#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv)
-# define PLATFORM_ID "SCO_SV"
-
-#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX)
-# define PLATFORM_ID "ULTRIX"
-
-#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX)
-# define PLATFORM_ID "Xenix"
-
-#elif defined(__WATCOMC__)
-# if defined(__LINUX__)
-#  define PLATFORM_ID "Linux"
-
-# elif defined(__DOS__)
-#  define PLATFORM_ID "DOS"
-
-# elif defined(__OS2__)
-#  define PLATFORM_ID "OS2"
-
-# elif defined(__WINDOWS__)
-#  define PLATFORM_ID "Windows3x"
-
-# elif defined(__VXWORKS__)
-#  define PLATFORM_ID "VxWorks"
-
-# else /* unknown platform */
-#  define PLATFORM_ID
-# endif
-
-#elif defined(__INTEGRITY)
-# if defined(INT_178B)
-#  define PLATFORM_ID "Integrity178"
-
-# else /* regular Integrity */
-#  define PLATFORM_ID "Integrity"
-# endif
-
-# elif defined(_ADI_COMPILER)
-#  define PLATFORM_ID "ADSP"
-
-#else /* unknown platform */
-# define PLATFORM_ID
-
-#endif
-
-/* For windows compilers MSVC and Intel we can determine
-   the architecture of the compiler being used.  This is because
-   the compilers do not have flags that can change the architecture,
-   but rather depend on which compiler is being used
-*/
-#if defined(_WIN32) && defined(_MSC_VER)
-# if defined(_M_IA64)
-#  define ARCHITECTURE_ID "IA64"
-
-# elif defined(_M_ARM64EC)
-#  define ARCHITECTURE_ID "ARM64EC"
-
-# elif defined(_M_X64) || defined(_M_AMD64)
-#  define ARCHITECTURE_ID "x64"
-
-# elif defined(_M_IX86)
-#  define ARCHITECTURE_ID "X86"
-
-# elif defined(_M_ARM64)
-#  define ARCHITECTURE_ID "ARM64"
-
-# elif defined(_M_ARM)
-#  if _M_ARM == 4
-#   define ARCHITECTURE_ID "ARMV4I"
-#  elif _M_ARM == 5
-#   define ARCHITECTURE_ID "ARMV5I"
-#  else
-#   define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM)
-#  endif
-
-# elif defined(_M_MIPS)
-#  define ARCHITECTURE_ID "MIPS"
-
-# elif defined(_M_SH)
-#  define ARCHITECTURE_ID "SHx"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__WATCOMC__)
-# if defined(_M_I86)
-#  define ARCHITECTURE_ID "I86"
-
-# elif defined(_M_IX86)
-#  define ARCHITECTURE_ID "X86"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
-# if defined(__ICCARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__ICCRX__)
-#  define ARCHITECTURE_ID "RX"
-
-# elif defined(__ICCRH850__)
-#  define ARCHITECTURE_ID "RH850"
-
-# elif defined(__ICCRL78__)
-#  define ARCHITECTURE_ID "RL78"
-
-# elif defined(__ICCRISCV__)
-#  define ARCHITECTURE_ID "RISCV"
-
-# elif defined(__ICCAVR__)
-#  define ARCHITECTURE_ID "AVR"
-
-# elif defined(__ICC430__)
-#  define ARCHITECTURE_ID "MSP430"
-
-# elif defined(__ICCV850__)
-#  define ARCHITECTURE_ID "V850"
-
-# elif defined(__ICC8051__)
-#  define ARCHITECTURE_ID "8051"
-
-# elif defined(__ICCSTM8__)
-#  define ARCHITECTURE_ID "STM8"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__ghs__)
-# if defined(__PPC64__)
-#  define ARCHITECTURE_ID "PPC64"
-
-# elif defined(__ppc__)
-#  define ARCHITECTURE_ID "PPC"
-
-# elif defined(__ARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__x86_64__)
-#  define ARCHITECTURE_ID "x64"
-
-# elif defined(__i386__)
-#  define ARCHITECTURE_ID "X86"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__TI_COMPILER_VERSION__)
-# if defined(__TI_ARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__MSP430__)
-#  define ARCHITECTURE_ID "MSP430"
-
-# elif defined(__TMS320C28XX__)
-#  define ARCHITECTURE_ID "TMS320C28x"
-
-# elif defined(__TMS320C6X__) || defined(_TMS320C6X)
-#  define ARCHITECTURE_ID "TMS320C6x"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-# elif defined(__ADSPSHARC__)
-#  define ARCHITECTURE_ID "SHARC"
-
-# elif defined(__ADSPBLACKFIN__)
-#  define ARCHITECTURE_ID "Blackfin"
-
-#elif defined(__TASKING__)
-
-# if defined(__CTC__) || defined(__CPTC__)
-#  define ARCHITECTURE_ID "TriCore"
-
-# elif defined(__CMCS__)
-#  define ARCHITECTURE_ID "MCS"
-
-# elif defined(__CARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__CARC__)
-#  define ARCHITECTURE_ID "ARC"
-
-# elif defined(__C51__)
-#  define ARCHITECTURE_ID "8051"
-
-# elif defined(__CPCP__)
-#  define ARCHITECTURE_ID "PCP"
-
-# else
-#  define ARCHITECTURE_ID ""
-# endif
-
-#else
-#  define ARCHITECTURE_ID
-#endif
-
-/* Convert integer to decimal digit literals.  */
-#define DEC(n)                   \
-  ('0' + (((n) / 10000000)%10)), \
-  ('0' + (((n) / 1000000)%10)),  \
-  ('0' + (((n) / 100000)%10)),   \
-  ('0' + (((n) / 10000)%10)),    \
-  ('0' + (((n) / 1000)%10)),     \
-  ('0' + (((n) / 100)%10)),      \
-  ('0' + (((n) / 10)%10)),       \
-  ('0' +  ((n) % 10))
-
-/* Convert integer to hex digit literals.  */
-#define HEX(n)             \
-  ('0' + ((n)>>28 & 0xF)), \
-  ('0' + ((n)>>24 & 0xF)), \
-  ('0' + ((n)>>20 & 0xF)), \
-  ('0' + ((n)>>16 & 0xF)), \
-  ('0' + ((n)>>12 & 0xF)), \
-  ('0' + ((n)>>8  & 0xF)), \
-  ('0' + ((n)>>4  & 0xF)), \
-  ('0' + ((n)     & 0xF))
-
-/* Construct a string literal encoding the version number. */
-#ifdef COMPILER_VERSION
-char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]";
-
-/* Construct a string literal encoding the version number components. */
-#elif defined(COMPILER_VERSION_MAJOR)
-char const info_version[] = {
-  'I', 'N', 'F', 'O', ':',
-  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[',
-  COMPILER_VERSION_MAJOR,
-# ifdef COMPILER_VERSION_MINOR
-  '.', COMPILER_VERSION_MINOR,
-#  ifdef COMPILER_VERSION_PATCH
-   '.', COMPILER_VERSION_PATCH,
-#   ifdef COMPILER_VERSION_TWEAK
-    '.', COMPILER_VERSION_TWEAK,
-#   endif
-#  endif
-# endif
-  ']','\0'};
-#endif
-
-/* Construct a string literal encoding the internal version number. */
-#ifdef COMPILER_VERSION_INTERNAL
-char const info_version_internal[] = {
-  'I', 'N', 'F', 'O', ':',
-  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_',
-  'i','n','t','e','r','n','a','l','[',
-  COMPILER_VERSION_INTERNAL,']','\0'};
-#elif defined(COMPILER_VERSION_INTERNAL_STR)
-char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]";
-#endif
-
-/* Construct a string literal encoding the version number components. */
-#ifdef SIMULATE_VERSION_MAJOR
-char const info_simulate_version[] = {
-  'I', 'N', 'F', 'O', ':',
-  's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[',
-  SIMULATE_VERSION_MAJOR,
-# ifdef SIMULATE_VERSION_MINOR
-  '.', SIMULATE_VERSION_MINOR,
-#  ifdef SIMULATE_VERSION_PATCH
-   '.', SIMULATE_VERSION_PATCH,
-#   ifdef SIMULATE_VERSION_TWEAK
-    '.', SIMULATE_VERSION_TWEAK,
-#   endif
-#  endif
-# endif
-  ']','\0'};
-#endif
-
-/* Construct the string literal in pieces to prevent the source from
-   getting matched.  Store it in a pointer rather than an array
-   because some compilers will just produce instructions to fill the
-   array rather than assigning a pointer to a static array.  */
-char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]";
-char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]";
-
-
-
-#if !defined(__STDC__) && !defined(__clang__)
-# if defined(_MSC_VER) || defined(__ibmxl__) || defined(__IBMC__)
-#  define C_VERSION "90"
-# else
-#  define C_VERSION
-# endif
-#elif __STDC_VERSION__ > 201710L
-# define C_VERSION "23"
-#elif __STDC_VERSION__ >= 201710L
-# define C_VERSION "17"
-#elif __STDC_VERSION__ >= 201000L
-# define C_VERSION "11"
-#elif __STDC_VERSION__ >= 199901L
-# define C_VERSION "99"
-#else
-# define C_VERSION "90"
-#endif
-const char* info_language_standard_default =
-  "INFO" ":" "standard_default[" C_VERSION "]";
-
-const char* info_language_extensions_default = "INFO" ":" "extensions_default["
-#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) ||           \
-     defined(__TI_COMPILER_VERSION__)) &&                                     \
-  !defined(__STRICT_ANSI__)
-  "ON"
-#else
-  "OFF"
-#endif
-"]";
-
-/*--------------------------------------------------------------------------*/
-
-#ifdef ID_VOID_MAIN
-void main() {}
-#else
-# if defined(__CLASSIC_C__)
-int main(argc, argv) int argc; char *argv[];
-# else
-int main(int argc, char* argv[])
-# endif
-{
-  int require = 0;
-  require += info_compiler[argc];
-  require += info_platform[argc];
-  require += info_arch[argc];
-#ifdef COMPILER_VERSION_MAJOR
-  require += info_version[argc];
-#endif
-#ifdef COMPILER_VERSION_INTERNAL
-  require += info_version_internal[argc];
-#endif
-#ifdef SIMULATE_ID
-  require += info_simulate[argc];
-#endif
-#ifdef SIMULATE_VERSION_MAJOR
-  require += info_simulate_version[argc];
-#endif
-#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
-  require += info_cray[argc];
-#endif
-  require += info_language_standard_default[argc];
-  require += info_language_extensions_default[argc];
-  (void)argv;
-  return require;
-}
-#endif
diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
deleted file mode 100755
index 59cce56d0864b921fa3ad5b3107537b269645584..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 80632
zcmeI3eQX@Zb->@=T=6v*jn?`}yR
zblfBMmJSsMHIw*{v4y
z7M96rIlNA1S%T_~{-w5FU)JTvgCKu_}w&qEU%b`vE=?y-)NgK
z@g~w1<|uEGfMNB!BFUE0@z;V9?H@FO4z9IGjd?9w`TYs{Q9Exnbs57GroL8Owwd;`
z5j%x2xyJ
z|MaDs&p-d#0}GwhM`{DbBO6L&-=X%jp31mBqkdaK_L~!|9ztC2F7UQk+r?
zd$4UJQnYJ<;|KPPQ})0qRQ&)*OI#j=kt1V+Lw0|z??7XB-+r*iCXU)A*LSDNwZQc!
zjt*6-o;%?bDlW#HnyGpwrmamA4FS?fDuo1@R|++EVOx2epI-bcoE{mt-{>x>d>V3?
zr*x&BS2BeI(>MfBb2X%=@!@nWq>mntgUTe0akwp{SPLuqaGb7?p5_FnNAAzOy!^xu
zzOtNwMI5{H%TN69nIE9;a>o8C+mO70HaAdozcsSd_39&w+4Rnz?#yOh=B+CQ=epC@
zQdb&OnaZ!h{C%PPZI~a_`Ecx8*|&Q#FW(CbFYdtYwG4dqm5jCY>iw|z3v4&~pMxuR
zEM~B*4Y!}w>rek2H}V+(*g|cjed^OS>;t?$vSa~V`j>irE9s~lA)bS5Y7v*{bGuMJ
z0`SYrxQx7l_Pef+EIDX@Ba`|nV80ccnEft*AK&-plRwF?|M;hOy_x^q57GWr^c}o0
zvQ$vM>4q=Wr@4P$asPEEEZvUrPT!Y*XaV58)c!0ioH%`7>Y-nET1(4M{9R*Am^bz3
z-?9DmPr^T6+XTI1X>qe(DSMeUZi@Jcr}+myXYH8asA){NZAC
zX0}{${ZqIiepr`A^!DSfUn^I=Q@twn_2=|XZ(n1_xPkJUtvJDC)t@r?8ZC!lS9N9ykNJC$x5mi_IU_4+}S
zknh+*=aYBib_I2Oj-?{U&9niFDMK->^UK_uxkD%3?bPP(prheq;8FZGV#)
z{9JnU-+uO!ji^C2)pH)V0kjL(LwaieZq&D>a0k7g+=x<=5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$qb0zyCt2mv7=1cZPP5CTF#2nYcoAOwVf5D)@FKnMr{As_^VfDjM@
zLO=)z0U;m+gn$tEe?Z{)8cX$}%gB`J(_KccH}XQ8rS>+M{9_$D&vw_B^Qz=-Q@+;7
z?MB`(<@dzOfBROwN~#NKiv+Z*Ux3k!rS{gC{IhADzs=%TQ9BBW^QX>+Dykpq+hdry$2qI21n+ZC8(4%>vn(6
z^UB^-cB)v64;EyV;fk%}dDTMMOSI)Rf#c3r=BCipb7tI!v&NCa@v*Dz_Kb{w5Gw6>
zfUb$uwI@x-@TQ3FUA4d|p0SG+r#206d!%enanhdktASe#%2khI^O|MqIXr%1V(jpT
zpiXXgMtt8ja%609=;TQ||LCKK&}#hHqgWnmPY1Q9J>s{EhBqFoI#UkpNgsP{&sNJ`
z;QDA2Ys(s3A5Va9J;%AQIT~jJ4H)uC=Fq$j>_Ph!&S+jAvQ!_Y{U#1y
zr)Vtz*SmXrwBF$s_9s_u&vuy4MB`Li*gw@m&+X}17mf497WUt5q31YPHb&#T*uwrl
zTIe~>$F@Y{WYS2m<+wDjKld1WKDWgAufHc6f4{NkYYw(QzG}VO;j#8;oJtG(&$Q5U
zf7f?C+$HQd;ud4yW&o#@W}xe!}SEoS!iII8R>p;`X}z
z-SA9oeY=QpR$D*g@xP4rX->*Q`{Vi-jQ&c@UUS<73$gR>zZ!e~PLtd7E7Ye#=QTPEDd{-P=hmOx
z)13KxP#uNiG@r+N(LM#udLH-7v2oY>=JW43#z~qF%z?i%jJ9VhWMk)Lo`?KRUevxD
zcCWKorDS2%db`1j*`HDUZPrt;r1qax_RZHbpFllbLC3G7{!-aDU+3t4HDA|#4ed8m
zs91Ud_1Tz?vK#P&wJgqx_;u0G(Y`A*e;Tf6Px|=v&l}2qYtwbq616AYeB9Md{CJ#B
z6~DPX+f+Lnt!V805$e0s&Bw)l)F*K`ME3aAAYaE~GgO*T`mM0r%pc7cpkVY?O#jEY
z-X?MQB-M-SEw6hVr%fDi-Y=N=Ja5_lE2vM3|1G1BU$0VMDL&8hHgmu~Pw~^u
zQ!J@LHQVJY)|<8+78Z-w4id?@-sU#<#0^I+Q_
z@ts+F#wmNyQ-YlNRK<1*W!uB=G;_ryo$Y#wwz=tQ(8|75S#Hj&l+U=8vn?H0Gsxk`
zrhYIt+tPWJ@|-(gZrxl}Xe$tbGqn=G?3IHs6`hX~(Yk1lSL~AX2^2yO%>+yhO}z^_
zwJ3}AI^+<=f$l-MX!~xZS`7C$s*m-ID9$UJXB8wu2e`+`8(yH9Ve6ReP#ZEjSgs6jc41?aa+Xu{twbaRaxM>rJ+>
zCvhIwj_*5Xu}gt}7WB8#rMa1zv*;4a*)(G!rb9=aGw#q3)={pw{#XfT3pSGmxQeca
zPvnmtvJV{_wr#M7KXfdAbZiLK_^$)|(5NXL9X*JIMdIiOYL&9oQz*MXw{Jh#V-rX16$}$chX}%iQ>eJ;Sg6&EABJ&DPT+v*rYXYq
zQHyLU&~})anyGp#PIjqQwWl4ggz=n0)ejn#_Z`5>$I-G>_UyTuTY|DTS+!>?PB2;Z
zXLPROcvExElxw^5NTY@yyw|X``YZ7k!>=7_xCkXSh+Em{4C=6-hNr5uQ4K=!N{(Mz
zsf76OB#F|YLDZE!?)ua;opJo)G(fI)b|!ENC<9;1Y2H(x%HwLQ&J9!ET&^%zu9Wtc
z@pPb6`N6ThYPqDcY5E61u5{MJcv=QNHMVosOPmvh=f&rt2b`xw}nDdQP!icVAblT#JwU`QBpNPY(Aziy=JTFwaq
zzg(CL@ZkF2Ci?#sT@ui3BBg<}MFOP~!2i$EIc>}PB=5(q12^{P=cf}!(L+X|#Mf1<
z!oQhB{P{V`yz$Snp^+)kEf(1!j)#(92TeAW2(swnzDDdF}THPG`qV#@yfTzRblJ!%ZO{&@eNGX8_c
zj-NjtPw=OA0dfD&qK?{ymxU_vbLtDmpU2M>tG4n!$v?*}?9b1$FB|{kVPo8%puoiQMCUYX-Y0nxH}YrxeE%_T{Qn-y
z!io8@?it((`}2L`L1Q?~hDI7J4ehsM{`_2i!T7&j{g=^yBW`B8HJ;yJUq&USczZd|
z@*mNL{;S3Q{G9*BE&5+YUz$7Y&+h|n8viQ<2NTaPu9xS*D_BM*?9cBFUNBGWvse~R
z?9cKSSQz%__Y2pJKOcV_gZ)_kXUw1Px3{UNfcHt!#D1*(E$)zx+t2rZqsBjOZ*Z_X
z{5S5AE?y7&tM>&BYi&zej+4P1nyL$=#KiaQ^TuM!4z1^Rdhz*3ad_@)OZ|Iphpyq9
x#*x;6$8qES@Nq@|r{%tDPyK7XTl??ifj5O(yJFdmyGj0bzqY(9<`B!m{{a6BpB4ZB

diff --git a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp b/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
deleted file mode 100644
index 746b1672e640..000000000000
--- a/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdCXX/CMakeCXXCompilerId.cpp
+++ /dev/null
@@ -1,855 +0,0 @@
-/* This source file must have a .cpp extension so that all C++ compilers
-   recognize the extension without flags.  Borland does not know .cxx for
-   example.  */
-#ifndef __cplusplus
-# error "A C compiler has been selected for C++."
-#endif
-
-#if !defined(__has_include)
-/* If the compiler does not have __has_include, pretend the answer is
-   always no.  */
-#  define __has_include(x) 0
-#endif
-
-
-/* Version number components: V=Version, R=Revision, P=Patch
-   Version date components:   YYYY=Year, MM=Month,   DD=Day  */
-
-#if defined(__COMO__)
-# define COMPILER_ID "Comeau"
-  /* __COMO_VERSION__ = VRR */
-# define COMPILER_VERSION_MAJOR DEC(__COMO_VERSION__ / 100)
-# define COMPILER_VERSION_MINOR DEC(__COMO_VERSION__ % 100)
-
-#elif defined(__INTEL_COMPILER) || defined(__ICC)
-# define COMPILER_ID "Intel"
-# if defined(_MSC_VER)
-#  define SIMULATE_ID "MSVC"
-# endif
-# if defined(__GNUC__)
-#  define SIMULATE_ID "GNU"
-# endif
-  /* __INTEL_COMPILER = VRP prior to 2021, and then VVVV for 2021 and later,
-     except that a few beta releases use the old format with V=2021.  */
-# if __INTEL_COMPILER < 2021 || __INTEL_COMPILER == 202110 || __INTEL_COMPILER == 202111
-#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER/100)
-#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER/10 % 10)
-#  if defined(__INTEL_COMPILER_UPDATE)
-#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER_UPDATE)
-#  else
-#   define COMPILER_VERSION_PATCH DEC(__INTEL_COMPILER   % 10)
-#  endif
-# else
-#  define COMPILER_VERSION_MAJOR DEC(__INTEL_COMPILER)
-#  define COMPILER_VERSION_MINOR DEC(__INTEL_COMPILER_UPDATE)
-   /* The third version component from --version is an update index,
-      but no macro is provided for it.  */
-#  define COMPILER_VERSION_PATCH DEC(0)
-# endif
-# if defined(__INTEL_COMPILER_BUILD_DATE)
-   /* __INTEL_COMPILER_BUILD_DATE = YYYYMMDD */
-#  define COMPILER_VERSION_TWEAK DEC(__INTEL_COMPILER_BUILD_DATE)
-# endif
-# if defined(_MSC_VER)
-   /* _MSC_VER = VVRR */
-#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-# endif
-# if defined(__GNUC__)
-#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
-# elif defined(__GNUG__)
-#  define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
-# endif
-# if defined(__GNUC_MINOR__)
-#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
-# endif
-# if defined(__GNUC_PATCHLEVEL__)
-#  define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-# endif
-
-#elif (defined(__clang__) && defined(__INTEL_CLANG_COMPILER)) || defined(__INTEL_LLVM_COMPILER)
-# define COMPILER_ID "IntelLLVM"
-#if defined(_MSC_VER)
-# define SIMULATE_ID "MSVC"
-#endif
-#if defined(__GNUC__)
-# define SIMULATE_ID "GNU"
-#endif
-/* __INTEL_LLVM_COMPILER = VVVVRP prior to 2021.2.0, VVVVRRPP for 2021.2.0 and
- * later.  Look for 6 digit vs. 8 digit version number to decide encoding.
- * VVVV is no smaller than the current year when a version is released.
- */
-#if __INTEL_LLVM_COMPILER < 1000000L
-# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/100)
-# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER    % 10)
-#else
-# define COMPILER_VERSION_MAJOR DEC(__INTEL_LLVM_COMPILER/10000)
-# define COMPILER_VERSION_MINOR DEC(__INTEL_LLVM_COMPILER/100 % 100)
-# define COMPILER_VERSION_PATCH DEC(__INTEL_LLVM_COMPILER     % 100)
-#endif
-#if defined(_MSC_VER)
-  /* _MSC_VER = VVRR */
-# define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-# define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-#endif
-#if defined(__GNUC__)
-# define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
-#elif defined(__GNUG__)
-# define SIMULATE_VERSION_MAJOR DEC(__GNUG__)
-#endif
-#if defined(__GNUC_MINOR__)
-# define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
-#endif
-#if defined(__GNUC_PATCHLEVEL__)
-# define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-#endif
-
-#elif defined(__PATHCC__)
-# define COMPILER_ID "PathScale"
-# define COMPILER_VERSION_MAJOR DEC(__PATHCC__)
-# define COMPILER_VERSION_MINOR DEC(__PATHCC_MINOR__)
-# if defined(__PATHCC_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__PATHCC_PATCHLEVEL__)
-# endif
-
-#elif defined(__BORLANDC__) && defined(__CODEGEARC_VERSION__)
-# define COMPILER_ID "Embarcadero"
-# define COMPILER_VERSION_MAJOR HEX(__CODEGEARC_VERSION__>>24 & 0x00FF)
-# define COMPILER_VERSION_MINOR HEX(__CODEGEARC_VERSION__>>16 & 0x00FF)
-# define COMPILER_VERSION_PATCH DEC(__CODEGEARC_VERSION__     & 0xFFFF)
-
-#elif defined(__BORLANDC__)
-# define COMPILER_ID "Borland"
-  /* __BORLANDC__ = 0xVRR */
-# define COMPILER_VERSION_MAJOR HEX(__BORLANDC__>>8)
-# define COMPILER_VERSION_MINOR HEX(__BORLANDC__ & 0xFF)
-
-#elif defined(__WATCOMC__) && __WATCOMC__ < 1200
-# define COMPILER_ID "Watcom"
-   /* __WATCOMC__ = VVRR */
-# define COMPILER_VERSION_MAJOR DEC(__WATCOMC__ / 100)
-# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
-# if (__WATCOMC__ % 10) > 0
-#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
-# endif
-
-#elif defined(__WATCOMC__)
-# define COMPILER_ID "OpenWatcom"
-   /* __WATCOMC__ = VVRP + 1100 */
-# define COMPILER_VERSION_MAJOR DEC((__WATCOMC__ - 1100) / 100)
-# define COMPILER_VERSION_MINOR DEC((__WATCOMC__ / 10) % 10)
-# if (__WATCOMC__ % 10) > 0
-#  define COMPILER_VERSION_PATCH DEC(__WATCOMC__ % 10)
-# endif
-
-#elif defined(__SUNPRO_CC)
-# define COMPILER_ID "SunPro"
-# if __SUNPRO_CC >= 0x5100
-   /* __SUNPRO_CC = 0xVRRP */
-#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>12)
-#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xFF)
-#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC    & 0xF)
-# else
-   /* __SUNPRO_CC = 0xVRP */
-#  define COMPILER_VERSION_MAJOR HEX(__SUNPRO_CC>>8)
-#  define COMPILER_VERSION_MINOR HEX(__SUNPRO_CC>>4 & 0xF)
-#  define COMPILER_VERSION_PATCH HEX(__SUNPRO_CC    & 0xF)
-# endif
-
-#elif defined(__HP_aCC)
-# define COMPILER_ID "HP"
-  /* __HP_aCC = VVRRPP */
-# define COMPILER_VERSION_MAJOR DEC(__HP_aCC/10000)
-# define COMPILER_VERSION_MINOR DEC(__HP_aCC/100 % 100)
-# define COMPILER_VERSION_PATCH DEC(__HP_aCC     % 100)
-
-#elif defined(__DECCXX)
-# define COMPILER_ID "Compaq"
-  /* __DECCXX_VER = VVRRTPPPP */
-# define COMPILER_VERSION_MAJOR DEC(__DECCXX_VER/10000000)
-# define COMPILER_VERSION_MINOR DEC(__DECCXX_VER/100000  % 100)
-# define COMPILER_VERSION_PATCH DEC(__DECCXX_VER         % 10000)
-
-#elif defined(__IBMCPP__) && defined(__COMPILER_VER__)
-# define COMPILER_ID "zOS"
-  /* __IBMCPP__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
-
-#elif defined(__open_xl__) && defined(__clang__)
-# define COMPILER_ID "IBMClang"
-# define COMPILER_VERSION_MAJOR DEC(__open_xl_version__)
-# define COMPILER_VERSION_MINOR DEC(__open_xl_release__)
-# define COMPILER_VERSION_PATCH DEC(__open_xl_modification__)
-# define COMPILER_VERSION_TWEAK DEC(__open_xl_ptf_fix_level__)
-
-
-#elif defined(__ibmxl__) && defined(__clang__)
-# define COMPILER_ID "XLClang"
-# define COMPILER_VERSION_MAJOR DEC(__ibmxl_version__)
-# define COMPILER_VERSION_MINOR DEC(__ibmxl_release__)
-# define COMPILER_VERSION_PATCH DEC(__ibmxl_modification__)
-# define COMPILER_VERSION_TWEAK DEC(__ibmxl_ptf_fix_level__)
-
-
-#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ >= 800
-# define COMPILER_ID "XL"
-  /* __IBMCPP__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
-
-#elif defined(__IBMCPP__) && !defined(__COMPILER_VER__) && __IBMCPP__ < 800
-# define COMPILER_ID "VisualAge"
-  /* __IBMCPP__ = VRP */
-# define COMPILER_VERSION_MAJOR DEC(__IBMCPP__/100)
-# define COMPILER_VERSION_MINOR DEC(__IBMCPP__/10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__IBMCPP__    % 10)
-
-#elif defined(__NVCOMPILER)
-# define COMPILER_ID "NVHPC"
-# define COMPILER_VERSION_MAJOR DEC(__NVCOMPILER_MAJOR__)
-# define COMPILER_VERSION_MINOR DEC(__NVCOMPILER_MINOR__)
-# if defined(__NVCOMPILER_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__NVCOMPILER_PATCHLEVEL__)
-# endif
-
-#elif defined(__PGI)
-# define COMPILER_ID "PGI"
-# define COMPILER_VERSION_MAJOR DEC(__PGIC__)
-# define COMPILER_VERSION_MINOR DEC(__PGIC_MINOR__)
-# if defined(__PGIC_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__PGIC_PATCHLEVEL__)
-# endif
-
-#elif defined(_CRAYC)
-# define COMPILER_ID "Cray"
-# define COMPILER_VERSION_MAJOR DEC(_RELEASE_MAJOR)
-# define COMPILER_VERSION_MINOR DEC(_RELEASE_MINOR)
-
-#elif defined(__TI_COMPILER_VERSION__)
-# define COMPILER_ID "TI"
-  /* __TI_COMPILER_VERSION__ = VVVRRRPPP */
-# define COMPILER_VERSION_MAJOR DEC(__TI_COMPILER_VERSION__/1000000)
-# define COMPILER_VERSION_MINOR DEC(__TI_COMPILER_VERSION__/1000   % 1000)
-# define COMPILER_VERSION_PATCH DEC(__TI_COMPILER_VERSION__        % 1000)
-
-#elif defined(__CLANG_FUJITSU)
-# define COMPILER_ID "FujitsuClang"
-# define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
-# define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
-# define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
-# define COMPILER_VERSION_INTERNAL_STR __clang_version__
-
-
-#elif defined(__FUJITSU)
-# define COMPILER_ID "Fujitsu"
-# if defined(__FCC_version__)
-#   define COMPILER_VERSION __FCC_version__
-# elif defined(__FCC_major__)
-#   define COMPILER_VERSION_MAJOR DEC(__FCC_major__)
-#   define COMPILER_VERSION_MINOR DEC(__FCC_minor__)
-#   define COMPILER_VERSION_PATCH DEC(__FCC_patchlevel__)
-# endif
-# if defined(__fcc_version)
-#   define COMPILER_VERSION_INTERNAL DEC(__fcc_version)
-# elif defined(__FCC_VERSION)
-#   define COMPILER_VERSION_INTERNAL DEC(__FCC_VERSION)
-# endif
-
-
-#elif defined(__ghs__)
-# define COMPILER_ID "GHS"
-/* __GHS_VERSION_NUMBER = VVVVRP */
-# ifdef __GHS_VERSION_NUMBER
-# define COMPILER_VERSION_MAJOR DEC(__GHS_VERSION_NUMBER / 100)
-# define COMPILER_VERSION_MINOR DEC(__GHS_VERSION_NUMBER / 10 % 10)
-# define COMPILER_VERSION_PATCH DEC(__GHS_VERSION_NUMBER      % 10)
-# endif
-
-#elif defined(__TASKING__)
-# define COMPILER_ID "Tasking"
-  # define COMPILER_VERSION_MAJOR DEC(__VERSION__/1000)
-  # define COMPILER_VERSION_MINOR DEC(__VERSION__ % 100)
-# define COMPILER_VERSION_INTERNAL DEC(__VERSION__)
-
-#elif defined(__SCO_VERSION__)
-# define COMPILER_ID "SCO"
-
-#elif defined(__ARMCC_VERSION) && !defined(__clang__)
-# define COMPILER_ID "ARMCC"
-#if __ARMCC_VERSION >= 1000000
-  /* __ARMCC_VERSION = VRRPPPP */
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/1000000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 100)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION     % 10000)
-#else
-  /* __ARMCC_VERSION = VRPPPP */
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCC_VERSION/100000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCC_VERSION/10000 % 10)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCC_VERSION    % 10000)
-#endif
-
-
-#elif defined(__clang__) && defined(__apple_build_version__)
-# define COMPILER_ID "AppleClang"
-# if defined(_MSC_VER)
-#  define SIMULATE_ID "MSVC"
-# endif
-# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
-# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
-# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
-# if defined(_MSC_VER)
-   /* _MSC_VER = VVRR */
-#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-# endif
-# define COMPILER_VERSION_TWEAK DEC(__apple_build_version__)
-
-#elif defined(__clang__) && defined(__ARMCOMPILER_VERSION)
-# define COMPILER_ID "ARMClang"
-  # define COMPILER_VERSION_MAJOR DEC(__ARMCOMPILER_VERSION/1000000)
-  # define COMPILER_VERSION_MINOR DEC(__ARMCOMPILER_VERSION/10000 % 100)
-  # define COMPILER_VERSION_PATCH DEC(__ARMCOMPILER_VERSION     % 10000)
-# define COMPILER_VERSION_INTERNAL DEC(__ARMCOMPILER_VERSION)
-
-#elif defined(__clang__)
-# define COMPILER_ID "Clang"
-# if defined(_MSC_VER)
-#  define SIMULATE_ID "MSVC"
-# endif
-# define COMPILER_VERSION_MAJOR DEC(__clang_major__)
-# define COMPILER_VERSION_MINOR DEC(__clang_minor__)
-# define COMPILER_VERSION_PATCH DEC(__clang_patchlevel__)
-# if defined(_MSC_VER)
-   /* _MSC_VER = VVRR */
-#  define SIMULATE_VERSION_MAJOR DEC(_MSC_VER / 100)
-#  define SIMULATE_VERSION_MINOR DEC(_MSC_VER % 100)
-# endif
-
-#elif defined(__LCC__) && (defined(__GNUC__) || defined(__GNUG__) || defined(__MCST__))
-# define COMPILER_ID "LCC"
-# define COMPILER_VERSION_MAJOR DEC(__LCC__ / 100)
-# define COMPILER_VERSION_MINOR DEC(__LCC__ % 100)
-# if defined(__LCC_MINOR__)
-#  define COMPILER_VERSION_PATCH DEC(__LCC_MINOR__)
-# endif
-# if defined(__GNUC__) && defined(__GNUC_MINOR__)
-#  define SIMULATE_ID "GNU"
-#  define SIMULATE_VERSION_MAJOR DEC(__GNUC__)
-#  define SIMULATE_VERSION_MINOR DEC(__GNUC_MINOR__)
-#  if defined(__GNUC_PATCHLEVEL__)
-#   define SIMULATE_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-#  endif
-# endif
-
-#elif defined(__GNUC__) || defined(__GNUG__)
-# define COMPILER_ID "GNU"
-# if defined(__GNUC__)
-#  define COMPILER_VERSION_MAJOR DEC(__GNUC__)
-# else
-#  define COMPILER_VERSION_MAJOR DEC(__GNUG__)
-# endif
-# if defined(__GNUC_MINOR__)
-#  define COMPILER_VERSION_MINOR DEC(__GNUC_MINOR__)
-# endif
-# if defined(__GNUC_PATCHLEVEL__)
-#  define COMPILER_VERSION_PATCH DEC(__GNUC_PATCHLEVEL__)
-# endif
-
-#elif defined(_MSC_VER)
-# define COMPILER_ID "MSVC"
-  /* _MSC_VER = VVRR */
-# define COMPILER_VERSION_MAJOR DEC(_MSC_VER / 100)
-# define COMPILER_VERSION_MINOR DEC(_MSC_VER % 100)
-# if defined(_MSC_FULL_VER)
-#  if _MSC_VER >= 1400
-    /* _MSC_FULL_VER = VVRRPPPPP */
-#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 100000)
-#  else
-    /* _MSC_FULL_VER = VVRRPPPP */
-#   define COMPILER_VERSION_PATCH DEC(_MSC_FULL_VER % 10000)
-#  endif
-# endif
-# if defined(_MSC_BUILD)
-#  define COMPILER_VERSION_TWEAK DEC(_MSC_BUILD)
-# endif
-
-#elif defined(_ADI_COMPILER)
-# define COMPILER_ID "ADSP"
-#if defined(__VERSIONNUM__)
-  /* __VERSIONNUM__ = 0xVVRRPPTT */
-#  define COMPILER_VERSION_MAJOR DEC(__VERSIONNUM__ >> 24 & 0xFF)
-#  define COMPILER_VERSION_MINOR DEC(__VERSIONNUM__ >> 16 & 0xFF)
-#  define COMPILER_VERSION_PATCH DEC(__VERSIONNUM__ >> 8 & 0xFF)
-#  define COMPILER_VERSION_TWEAK DEC(__VERSIONNUM__ & 0xFF)
-#endif
-
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
-# define COMPILER_ID "IAR"
-# if defined(__VER__) && defined(__ICCARM__)
-#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 1000000)
-#  define COMPILER_VERSION_MINOR DEC(((__VER__) / 1000) % 1000)
-#  define COMPILER_VERSION_PATCH DEC((__VER__) % 1000)
-#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
-# elif defined(__VER__) && (defined(__ICCAVR__) || defined(__ICCRX__) || defined(__ICCRH850__) || defined(__ICCRL78__) || defined(__ICC430__) || defined(__ICCRISCV__) || defined(__ICCV850__) || defined(__ICC8051__) || defined(__ICCSTM8__))
-#  define COMPILER_VERSION_MAJOR DEC((__VER__) / 100)
-#  define COMPILER_VERSION_MINOR DEC((__VER__) - (((__VER__) / 100)*100))
-#  define COMPILER_VERSION_PATCH DEC(__SUBVERSION__)
-#  define COMPILER_VERSION_INTERNAL DEC(__IAR_SYSTEMS_ICC__)
-# endif
-
-
-/* These compilers are either not known or too old to define an
-  identification macro.  Try to identify the platform and guess that
-  it is the native compiler.  */
-#elif defined(__hpux) || defined(__hpua)
-# define COMPILER_ID "HP"
-
-#else /* unknown compiler */
-# define COMPILER_ID ""
-#endif
-
-/* Construct the string literal in pieces to prevent the source from
-   getting matched.  Store it in a pointer rather than an array
-   because some compilers will just produce instructions to fill the
-   array rather than assigning a pointer to a static array.  */
-char const* info_compiler = "INFO" ":" "compiler[" COMPILER_ID "]";
-#ifdef SIMULATE_ID
-char const* info_simulate = "INFO" ":" "simulate[" SIMULATE_ID "]";
-#endif
-
-#ifdef __QNXNTO__
-char const* qnxnto = "INFO" ":" "qnxnto[]";
-#endif
-
-#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
-char const *info_cray = "INFO" ":" "compiler_wrapper[CrayPrgEnv]";
-#endif
-
-#define STRINGIFY_HELPER(X) #X
-#define STRINGIFY(X) STRINGIFY_HELPER(X)
-
-/* Identify known platforms by name.  */
-#if defined(__linux) || defined(__linux__) || defined(linux)
-# define PLATFORM_ID "Linux"
-
-#elif defined(__MSYS__)
-# define PLATFORM_ID "MSYS"
-
-#elif defined(__CYGWIN__)
-# define PLATFORM_ID "Cygwin"
-
-#elif defined(__MINGW32__)
-# define PLATFORM_ID "MinGW"
-
-#elif defined(__APPLE__)
-# define PLATFORM_ID "Darwin"
-
-#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
-# define PLATFORM_ID "Windows"
-
-#elif defined(__FreeBSD__) || defined(__FreeBSD)
-# define PLATFORM_ID "FreeBSD"
-
-#elif defined(__NetBSD__) || defined(__NetBSD)
-# define PLATFORM_ID "NetBSD"
-
-#elif defined(__OpenBSD__) || defined(__OPENBSD)
-# define PLATFORM_ID "OpenBSD"
-
-#elif defined(__sun) || defined(sun)
-# define PLATFORM_ID "SunOS"
-
-#elif defined(_AIX) || defined(__AIX) || defined(__AIX__) || defined(__aix) || defined(__aix__)
-# define PLATFORM_ID "AIX"
-
-#elif defined(__hpux) || defined(__hpux__)
-# define PLATFORM_ID "HP-UX"
-
-#elif defined(__HAIKU__)
-# define PLATFORM_ID "Haiku"
-
-#elif defined(__BeOS) || defined(__BEOS__) || defined(_BEOS)
-# define PLATFORM_ID "BeOS"
-
-#elif defined(__QNX__) || defined(__QNXNTO__)
-# define PLATFORM_ID "QNX"
-
-#elif defined(__tru64) || defined(_tru64) || defined(__TRU64__)
-# define PLATFORM_ID "Tru64"
-
-#elif defined(__riscos) || defined(__riscos__)
-# define PLATFORM_ID "RISCos"
-
-#elif defined(__sinix) || defined(__sinix__) || defined(__SINIX__)
-# define PLATFORM_ID "SINIX"
-
-#elif defined(__UNIX_SV__)
-# define PLATFORM_ID "UNIX_SV"
-
-#elif defined(__bsdos__)
-# define PLATFORM_ID "BSDOS"
-
-#elif defined(_MPRAS) || defined(MPRAS)
-# define PLATFORM_ID "MP-RAS"
-
-#elif defined(__osf) || defined(__osf__)
-# define PLATFORM_ID "OSF1"
-
-#elif defined(_SCO_SV) || defined(SCO_SV) || defined(sco_sv)
-# define PLATFORM_ID "SCO_SV"
-
-#elif defined(__ultrix) || defined(__ultrix__) || defined(_ULTRIX)
-# define PLATFORM_ID "ULTRIX"
-
-#elif defined(__XENIX__) || defined(_XENIX) || defined(XENIX)
-# define PLATFORM_ID "Xenix"
-
-#elif defined(__WATCOMC__)
-# if defined(__LINUX__)
-#  define PLATFORM_ID "Linux"
-
-# elif defined(__DOS__)
-#  define PLATFORM_ID "DOS"
-
-# elif defined(__OS2__)
-#  define PLATFORM_ID "OS2"
-
-# elif defined(__WINDOWS__)
-#  define PLATFORM_ID "Windows3x"
-
-# elif defined(__VXWORKS__)
-#  define PLATFORM_ID "VxWorks"
-
-# else /* unknown platform */
-#  define PLATFORM_ID
-# endif
-
-#elif defined(__INTEGRITY)
-# if defined(INT_178B)
-#  define PLATFORM_ID "Integrity178"
-
-# else /* regular Integrity */
-#  define PLATFORM_ID "Integrity"
-# endif
-
-# elif defined(_ADI_COMPILER)
-#  define PLATFORM_ID "ADSP"
-
-#else /* unknown platform */
-# define PLATFORM_ID
-
-#endif
-
-/* For windows compilers MSVC and Intel we can determine
-   the architecture of the compiler being used.  This is because
-   the compilers do not have flags that can change the architecture,
-   but rather depend on which compiler is being used
-*/
-#if defined(_WIN32) && defined(_MSC_VER)
-# if defined(_M_IA64)
-#  define ARCHITECTURE_ID "IA64"
-
-# elif defined(_M_ARM64EC)
-#  define ARCHITECTURE_ID "ARM64EC"
-
-# elif defined(_M_X64) || defined(_M_AMD64)
-#  define ARCHITECTURE_ID "x64"
-
-# elif defined(_M_IX86)
-#  define ARCHITECTURE_ID "X86"
-
-# elif defined(_M_ARM64)
-#  define ARCHITECTURE_ID "ARM64"
-
-# elif defined(_M_ARM)
-#  if _M_ARM == 4
-#   define ARCHITECTURE_ID "ARMV4I"
-#  elif _M_ARM == 5
-#   define ARCHITECTURE_ID "ARMV5I"
-#  else
-#   define ARCHITECTURE_ID "ARMV" STRINGIFY(_M_ARM)
-#  endif
-
-# elif defined(_M_MIPS)
-#  define ARCHITECTURE_ID "MIPS"
-
-# elif defined(_M_SH)
-#  define ARCHITECTURE_ID "SHx"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__WATCOMC__)
-# if defined(_M_I86)
-#  define ARCHITECTURE_ID "I86"
-
-# elif defined(_M_IX86)
-#  define ARCHITECTURE_ID "X86"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__IAR_SYSTEMS_ICC)
-# if defined(__ICCARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__ICCRX__)
-#  define ARCHITECTURE_ID "RX"
-
-# elif defined(__ICCRH850__)
-#  define ARCHITECTURE_ID "RH850"
-
-# elif defined(__ICCRL78__)
-#  define ARCHITECTURE_ID "RL78"
-
-# elif defined(__ICCRISCV__)
-#  define ARCHITECTURE_ID "RISCV"
-
-# elif defined(__ICCAVR__)
-#  define ARCHITECTURE_ID "AVR"
-
-# elif defined(__ICC430__)
-#  define ARCHITECTURE_ID "MSP430"
-
-# elif defined(__ICCV850__)
-#  define ARCHITECTURE_ID "V850"
-
-# elif defined(__ICC8051__)
-#  define ARCHITECTURE_ID "8051"
-
-# elif defined(__ICCSTM8__)
-#  define ARCHITECTURE_ID "STM8"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__ghs__)
-# if defined(__PPC64__)
-#  define ARCHITECTURE_ID "PPC64"
-
-# elif defined(__ppc__)
-#  define ARCHITECTURE_ID "PPC"
-
-# elif defined(__ARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__x86_64__)
-#  define ARCHITECTURE_ID "x64"
-
-# elif defined(__i386__)
-#  define ARCHITECTURE_ID "X86"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-#elif defined(__TI_COMPILER_VERSION__)
-# if defined(__TI_ARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__MSP430__)
-#  define ARCHITECTURE_ID "MSP430"
-
-# elif defined(__TMS320C28XX__)
-#  define ARCHITECTURE_ID "TMS320C28x"
-
-# elif defined(__TMS320C6X__) || defined(_TMS320C6X)
-#  define ARCHITECTURE_ID "TMS320C6x"
-
-# else /* unknown architecture */
-#  define ARCHITECTURE_ID ""
-# endif
-
-# elif defined(__ADSPSHARC__)
-#  define ARCHITECTURE_ID "SHARC"
-
-# elif defined(__ADSPBLACKFIN__)
-#  define ARCHITECTURE_ID "Blackfin"
-
-#elif defined(__TASKING__)
-
-# if defined(__CTC__) || defined(__CPTC__)
-#  define ARCHITECTURE_ID "TriCore"
-
-# elif defined(__CMCS__)
-#  define ARCHITECTURE_ID "MCS"
-
-# elif defined(__CARM__)
-#  define ARCHITECTURE_ID "ARM"
-
-# elif defined(__CARC__)
-#  define ARCHITECTURE_ID "ARC"
-
-# elif defined(__C51__)
-#  define ARCHITECTURE_ID "8051"
-
-# elif defined(__CPCP__)
-#  define ARCHITECTURE_ID "PCP"
-
-# else
-#  define ARCHITECTURE_ID ""
-# endif
-
-#else
-#  define ARCHITECTURE_ID
-#endif
-
-/* Convert integer to decimal digit literals.  */
-#define DEC(n)                   \
-  ('0' + (((n) / 10000000)%10)), \
-  ('0' + (((n) / 1000000)%10)),  \
-  ('0' + (((n) / 100000)%10)),   \
-  ('0' + (((n) / 10000)%10)),    \
-  ('0' + (((n) / 1000)%10)),     \
-  ('0' + (((n) / 100)%10)),      \
-  ('0' + (((n) / 10)%10)),       \
-  ('0' +  ((n) % 10))
-
-/* Convert integer to hex digit literals.  */
-#define HEX(n)             \
-  ('0' + ((n)>>28 & 0xF)), \
-  ('0' + ((n)>>24 & 0xF)), \
-  ('0' + ((n)>>20 & 0xF)), \
-  ('0' + ((n)>>16 & 0xF)), \
-  ('0' + ((n)>>12 & 0xF)), \
-  ('0' + ((n)>>8  & 0xF)), \
-  ('0' + ((n)>>4  & 0xF)), \
-  ('0' + ((n)     & 0xF))
-
-/* Construct a string literal encoding the version number. */
-#ifdef COMPILER_VERSION
-char const* info_version = "INFO" ":" "compiler_version[" COMPILER_VERSION "]";
-
-/* Construct a string literal encoding the version number components. */
-#elif defined(COMPILER_VERSION_MAJOR)
-char const info_version[] = {
-  'I', 'N', 'F', 'O', ':',
-  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','[',
-  COMPILER_VERSION_MAJOR,
-# ifdef COMPILER_VERSION_MINOR
-  '.', COMPILER_VERSION_MINOR,
-#  ifdef COMPILER_VERSION_PATCH
-   '.', COMPILER_VERSION_PATCH,
-#   ifdef COMPILER_VERSION_TWEAK
-    '.', COMPILER_VERSION_TWEAK,
-#   endif
-#  endif
-# endif
-  ']','\0'};
-#endif
-
-/* Construct a string literal encoding the internal version number. */
-#ifdef COMPILER_VERSION_INTERNAL
-char const info_version_internal[] = {
-  'I', 'N', 'F', 'O', ':',
-  'c','o','m','p','i','l','e','r','_','v','e','r','s','i','o','n','_',
-  'i','n','t','e','r','n','a','l','[',
-  COMPILER_VERSION_INTERNAL,']','\0'};
-#elif defined(COMPILER_VERSION_INTERNAL_STR)
-char const* info_version_internal = "INFO" ":" "compiler_version_internal[" COMPILER_VERSION_INTERNAL_STR "]";
-#endif
-
-/* Construct a string literal encoding the version number components. */
-#ifdef SIMULATE_VERSION_MAJOR
-char const info_simulate_version[] = {
-  'I', 'N', 'F', 'O', ':',
-  's','i','m','u','l','a','t','e','_','v','e','r','s','i','o','n','[',
-  SIMULATE_VERSION_MAJOR,
-# ifdef SIMULATE_VERSION_MINOR
-  '.', SIMULATE_VERSION_MINOR,
-#  ifdef SIMULATE_VERSION_PATCH
-   '.', SIMULATE_VERSION_PATCH,
-#   ifdef SIMULATE_VERSION_TWEAK
-    '.', SIMULATE_VERSION_TWEAK,
-#   endif
-#  endif
-# endif
-  ']','\0'};
-#endif
-
-/* Construct the string literal in pieces to prevent the source from
-   getting matched.  Store it in a pointer rather than an array
-   because some compilers will just produce instructions to fill the
-   array rather than assigning a pointer to a static array.  */
-char const* info_platform = "INFO" ":" "platform[" PLATFORM_ID "]";
-char const* info_arch = "INFO" ":" "arch[" ARCHITECTURE_ID "]";
-
-
-
-#if defined(__INTEL_COMPILER) && defined(_MSVC_LANG) && _MSVC_LANG < 201403L
-#  if defined(__INTEL_CXX11_MODE__)
-#    if defined(__cpp_aggregate_nsdmi)
-#      define CXX_STD 201402L
-#    else
-#      define CXX_STD 201103L
-#    endif
-#  else
-#    define CXX_STD 199711L
-#  endif
-#elif defined(_MSC_VER) && defined(_MSVC_LANG)
-#  define CXX_STD _MSVC_LANG
-#else
-#  define CXX_STD __cplusplus
-#endif
-
-const char* info_language_standard_default = "INFO" ":" "standard_default["
-#if CXX_STD > 202002L
-  "23"
-#elif CXX_STD > 201703L
-  "20"
-#elif CXX_STD >= 201703L
-  "17"
-#elif CXX_STD >= 201402L
-  "14"
-#elif CXX_STD >= 201103L
-  "11"
-#else
-  "98"
-#endif
-"]";
-
-const char* info_language_extensions_default = "INFO" ":" "extensions_default["
-#if (defined(__clang__) || defined(__GNUC__) || defined(__xlC__) ||           \
-     defined(__TI_COMPILER_VERSION__)) &&                                     \
-  !defined(__STRICT_ANSI__)
-  "ON"
-#else
-  "OFF"
-#endif
-"]";
-
-/*--------------------------------------------------------------------------*/
-
-int main(int argc, char* argv[])
-{
-  int require = 0;
-  require += info_compiler[argc];
-  require += info_platform[argc];
-  require += info_arch[argc];
-#ifdef COMPILER_VERSION_MAJOR
-  require += info_version[argc];
-#endif
-#ifdef COMPILER_VERSION_INTERNAL
-  require += info_version_internal[argc];
-#endif
-#ifdef SIMULATE_ID
-  require += info_simulate[argc];
-#endif
-#ifdef SIMULATE_VERSION_MAJOR
-  require += info_simulate_version[argc];
-#endif
-#if defined(__CRAYXT_COMPUTE_LINUX_TARGET)
-  require += info_cray[argc];
-#endif
-  require += info_language_standard_default[argc];
-  require += info_language_extensions_default[argc];
-  (void)argv;
-  return require;
-}
diff --git a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml b/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
deleted file mode 100644
index 353c44960b88..000000000000
--- a/products/bascontrol22d4/CMakeFiles/CMakeConfigureLog.yaml
+++ /dev/null
@@ -1,451 +0,0 @@
-
----
-events:
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineSystem.cmake:204 (message)"
-      - "CMakeLists.txt"
-    message: |
-      The system is: Linux - 5.18.13-200.fc36.aarch64 - aarch64
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCCompiler.cmake:123 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the C compiler identification source file "CMakeCCompilerId.c" succeeded.
-      Compiler: /usr/bin/cc 
-      Build flags: 
-      Id flags:  
-      
-      The output was:
-      0
-      
-      
-      Compilation of the C compiler identification source "CMakeCCompilerId.c" produced "a.out"
-      
-      The C compiler identification is GNU, found in:
-        /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/3.26.3/CompilerIdC/a.out
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags:  
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: -c 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --c++ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --ec++ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: -c;-I__does_not_exist__ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags:  
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: -c 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --c++ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --ec++ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: --target=arm-arm-none-eabi;-mcpu=cortex-m3 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:17 (message)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerId.cmake:64 (__determine_compiler_id_test)"
-      - "/usr/share/cmake/Modules/CMakeDetermineCXXCompiler.cmake:126 (CMAKE_DETERMINE_COMPILER_ID)"
-      - "CMakeLists.txt"
-    message: |
-      Compiling the CXX compiler identification source file "CMakeCXXCompilerId.cpp" failed.
-      Compiler: CMAKE_CXX_COMPILER-NOTFOUND 
-      Build flags: 
-      Id flags: -c;-I__does_not_exist__ 
-      
-      The output was:
-      No such file or directory
-      
-      
-  -
-    kind: "try_compile-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:57 (try_compile)"
-      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
-      - "CMakeLists.txt"
-    checks:
-      - "Detecting C compiler ABI info"
-    directories:
-      source: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C"
-      binary: "/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C"
-    cmakeVariables:
-      CMAKE_C_FLAGS: ""
-    buildResult:
-      variable: "CMAKE_C_ABI_COMPILED"
-      cached: true
-      stdout: |
-        Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C
-        
-        Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake  -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build
-        gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'
-        Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o
-        /usr/bin/cc   -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c
-        Using built-in specs.
-        COLLECT_GCC=/usr/bin/cc
-        Target: aarch64-redhat-linux
-        Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1
-        Thread model: posix
-        Supported LTO compression algorithms: zlib zstd
-        gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) 
-        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'
-         /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s
-        GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)
-        	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP
-        
-        GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
-        ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"
-        ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"
-        #include "..." search starts here:
-        #include <...> search starts here:
-         /usr/lib/gcc/aarch64-redhat-linux/12/include
-         /usr/local/include
-         /usr/include
-        End of search list.
-        GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)
-        	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1), GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1, isl version isl-0.18-GMP
-        
-        GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
-        Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454
-        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/'
-         as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s
-        GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36
-        COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/
-        LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/
-        COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.'
-        Linking C executable cmTC_cf024
-        /usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1
-        /usr/bin/cc  -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 
-        Using built-in specs.
-        COLLECT_GCC=/usr/bin/cc
-        COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper
-        Target: aarch64-redhat-linux
-        Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1
-        Thread model: posix
-        Supported LTO compression algorithms: zlib zstd
-        gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) 
-        COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/
-        LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/
-        COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'
-         /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o
-        COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.'
-        gmake[1]: Leaving directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C'
-        
-      exitCode: 0
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:127 (message)"
-      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
-      - "CMakeLists.txt"
-    message: |
-      Parsed C implicit include dir info: rv=done
-        found start of include info
-        found start of implicit include info
-          add: [/usr/lib/gcc/aarch64-redhat-linux/12/include]
-          add: [/usr/local/include]
-          add: [/usr/include]
-        end of search list found
-        collapse include dir [/usr/lib/gcc/aarch64-redhat-linux/12/include] ==> [/usr/lib/gcc/aarch64-redhat-linux/12/include]
-        collapse include dir [/usr/local/include] ==> [/usr/local/include]
-        collapse include dir [/usr/include] ==> [/usr/include]
-        implicit include dirs: [/usr/lib/gcc/aarch64-redhat-linux/12/include;/usr/local/include;/usr/include]
-      
-      
-  -
-    kind: "message-v1"
-    backtrace:
-      - "/usr/share/cmake/Modules/CMakeDetermineCompilerABI.cmake:152 (message)"
-      - "/usr/share/cmake/Modules/CMakeTestCCompiler.cmake:26 (CMAKE_DETERMINE_COMPILER_ABI)"
-      - "CMakeLists.txt"
-    message: |
-      Parsed C implicit link information:
-        link line regex: [^( *|.*[/\\])(ld|CMAKE_LINK_STARTFILE-NOTFOUND|([^/\\]+-)?ld|collect2)[^/\\]*( |$)]
-        ignore line: [Change Dir: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C]
-        ignore line: []
-        ignore line: [Run Build Command(s):/usr/bin/cmake -E env VERBOSE=1 /usr/bin/gmake -f Makefile cmTC_cf024/fast && /usr/bin/gmake  -f CMakeFiles/cmTC_cf024.dir/build.make CMakeFiles/cmTC_cf024.dir/build]
-        ignore line: [gmake[1]: Entering directory '/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/CMakeScratch/TryCompile-TJOC2C']
-        ignore line: [Building C object CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o]
-        ignore line: [/usr/bin/cc   -v -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -c /usr/share/cmake/Modules/CMakeCCompilerABI.c]
-        ignore line: [Using built-in specs.]
-        ignore line: [COLLECT_GCC=/usr/bin/cc]
-        ignore line: [Target: aarch64-redhat-linux]
-        ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1]
-        ignore line: [Thread model: posix]
-        ignore line: [Supported LTO compression algorithms: zlib zstd]
-        ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ]
-        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/']
-        ignore line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/cc1 -quiet -v /usr/share/cmake/Modules/CMakeCCompilerABI.c -quiet -dumpdir CMakeFiles/cmTC_cf024.dir/ -dumpbase CMakeCCompilerABI.c.c -dumpbase-ext .c -mlittle-endian -mabi=lp64 -version -o /tmp/ccayUgBc.s]
-        ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)]
-        ignore line: [	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1)  GMP version 6.2.1  MPFR version 4.1.0-p13  MPC version 1.2.1  isl version isl-0.18-GMP]
-        ignore line: []
-        ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072]
-        ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/include-fixed"]
-        ignore line: [ignoring nonexistent directory "/usr/lib/gcc/aarch64-redhat-linux/12/../../../../aarch64-redhat-linux/include"]
-        ignore line: [#include "..." search starts here:]
-        ignore line: [#include <...> search starts here:]
-        ignore line: [ /usr/lib/gcc/aarch64-redhat-linux/12/include]
-        ignore line: [ /usr/local/include]
-        ignore line: [ /usr/include]
-        ignore line: [End of search list.]
-        ignore line: [GNU C17 (GCC) version 12.1.1 20220507 (Red Hat 12.1.1-1) (aarch64-redhat-linux)]
-        ignore line: [	compiled by GNU C version 12.1.1 20220507 (Red Hat 12.1.1-1)  GMP version 6.2.1  MPFR version 4.1.0-p13  MPC version 1.2.1  isl version isl-0.18-GMP]
-        ignore line: []
-        ignore line: [GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072]
-        ignore line: [Compiler executable checksum: b0384b1e618c8b7f1da12221eb75d454]
-        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/']
-        ignore line: [ as -v -EL -mabi=lp64 -o CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o /tmp/ccayUgBc.s]
-        ignore line: [GNU assembler version 2.37 (aarch64-redhat-linux) using BFD version version 2.37-27.fc36]
-        ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/]
-        ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/]
-        ignore line: [COLLECT_GCC_OPTIONS='-v' '-o' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o' '-c' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.']
-        ignore line: [Linking C executable cmTC_cf024]
-        ignore line: [/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_cf024.dir/link.txt --verbose=1]
-        ignore line: [/usr/bin/cc  -v -rdynamic CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -o cmTC_cf024 ]
-        ignore line: [Using built-in specs.]
-        ignore line: [COLLECT_GCC=/usr/bin/cc]
-        ignore line: [COLLECT_LTO_WRAPPER=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper]
-        ignore line: [Target: aarch64-redhat-linux]
-        ignore line: [Configured with: ../configure --enable-bootstrap --enable-languages=c c++ fortran objc obj-c++ ada go lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-libstdcxx-backtrace --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl=/builddir/build/BUILD/gcc-12.1.1-20220507/obj-aarch64-redhat-linux/isl-install --enable-gnu-indirect-function --build=aarch64-redhat-linux --with-build-config=bootstrap-lto --enable-link-serialization=1]
-        ignore line: [Thread model: posix]
-        ignore line: [Supported LTO compression algorithms: zlib zstd]
-        ignore line: [gcc version 12.1.1 20220507 (Red Hat 12.1.1-1) (GCC) ]
-        ignore line: [COMPILER_PATH=/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/12/:/usr/libexec/gcc/aarch64-redhat-linux/:/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/]
-        ignore line: [LIBRARY_PATH=/usr/lib/gcc/aarch64-redhat-linux/12/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/aarch64-redhat-linux/12/../../../:/lib/:/usr/lib/]
-        ignore line: [COLLECT_GCC_OPTIONS='-v' '-rdynamic' '-o' 'cmTC_cf024' '-mlittle-endian' '-mabi=lp64' '-dumpdir' 'cmTC_cf024.']
-        link line: [ /usr/libexec/gcc/aarch64-redhat-linux/12/collect2 -plugin /usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cchKwJNt.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -export-dynamic -dynamic-linker /lib/ld-linux-aarch64.so.1 -X -EL -maarch64linux -o cmTC_cf024 /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o /usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o -L/usr/lib/gcc/aarch64-redhat-linux/12 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/aarch64-redhat-linux/12/../../.. CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/aarch64-redhat-linux/12/crtend.o /usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o]
-          arg [/usr/libexec/gcc/aarch64-redhat-linux/12/collect2] ==> ignore
-          arg [-plugin] ==> ignore
-          arg [/usr/libexec/gcc/aarch64-redhat-linux/12/liblto_plugin.so] ==> ignore
-          arg [-plugin-opt=/usr/libexec/gcc/aarch64-redhat-linux/12/lto-wrapper] ==> ignore
-          arg [-plugin-opt=-fresolution=/tmp/cchKwJNt.res] ==> ignore
-          arg [-plugin-opt=-pass-through=-lgcc] ==> ignore
-          arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore
-          arg [-plugin-opt=-pass-through=-lc] ==> ignore
-          arg [-plugin-opt=-pass-through=-lgcc] ==> ignore
-          arg [-plugin-opt=-pass-through=-lgcc_s] ==> ignore
-          arg [--build-id] ==> ignore
-          arg [--no-add-needed] ==> ignore
-          arg [--eh-frame-hdr] ==> ignore
-          arg [--hash-style=gnu] ==> ignore
-          arg [-export-dynamic] ==> ignore
-          arg [-dynamic-linker] ==> ignore
-          arg [/lib/ld-linux-aarch64.so.1] ==> ignore
-          arg [-X] ==> ignore
-          arg [-EL] ==> ignore
-          arg [-maarch64linux] ==> ignore
-          arg [-o] ==> ignore
-          arg [cmTC_cf024] ==> ignore
-          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o]
-          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o]
-          arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o]
-          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12]
-          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64]
-          arg [-L/lib/../lib64] ==> dir [/lib/../lib64]
-          arg [-L/usr/lib/../lib64] ==> dir [/usr/lib/../lib64]
-          arg [-L/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..]
-          arg [CMakeFiles/cmTC_cf024.dir/CMakeCCompilerABI.c.o] ==> ignore
-          arg [-lgcc] ==> lib [gcc]
-          arg [--push-state] ==> ignore
-          arg [--as-needed] ==> ignore
-          arg [-lgcc_s] ==> lib [gcc_s]
-          arg [--pop-state] ==> ignore
-          arg [-lc] ==> lib [c]
-          arg [-lgcc] ==> lib [gcc]
-          arg [--push-state] ==> ignore
-          arg [--as-needed] ==> ignore
-          arg [-lgcc_s] ==> lib [gcc_s]
-          arg [--pop-state] ==> ignore
-          arg [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o]
-          arg [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o]
-        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crt1.o] ==> [/usr/lib64/crt1.o]
-        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crti.o] ==> [/usr/lib64/crti.o]
-        collapse obj [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64/crtn.o] ==> [/usr/lib64/crtn.o]
-        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12] ==> [/usr/lib/gcc/aarch64-redhat-linux/12]
-        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../../../lib64] ==> [/usr/lib64]
-        collapse library dir [/lib/../lib64] ==> [/lib64]
-        collapse library dir [/usr/lib/../lib64] ==> [/usr/lib64]
-        collapse library dir [/usr/lib/gcc/aarch64-redhat-linux/12/../../..] ==> [/usr/lib]
-        implicit libs: [gcc;gcc_s;c;gcc;gcc_s]
-        implicit objs: [/usr/lib64/crt1.o;/usr/lib64/crti.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtbegin.o;/usr/lib/gcc/aarch64-redhat-linux/12/crtend.o;/usr/lib64/crtn.o]
-        implicit dirs: [/usr/lib/gcc/aarch64-redhat-linux/12;/usr/lib64;/lib64;/usr/lib]
-        implicit fwks: []
-      
-      
-...
diff --git a/products/bascontrol22d4/CMakeFiles/cmake.check_cache b/products/bascontrol22d4/CMakeFiles/cmake.check_cache
deleted file mode 100644
index 3dccd731726d..000000000000
--- a/products/bascontrol22d4/CMakeFiles/cmake.check_cache
+++ /dev/null
@@ -1 +0,0 @@
-# This file is generated by cmake for dependency checking of the CMakeCache.txt file

From 4f7bbb6d57004421476055b5725c48ebea446273 Mon Sep 17 00:00:00 2001
From: cealcorn 
Date: Tue, 10 Feb 2026 21:29:19 -0800
Subject: [PATCH 264/265] fixed errors bascontrol22d4 commented out in
 ./CMakeLists.txt

---
 CMakeLists.txt                                |   6 +-
 build/.gitkeep                                |   0
 products/bascontrol22d4/CMakeCache.txt        | 374 ------------------
 products/bascontrol22d4/product.yml           |   8 +-
 .../bascontrol22d4/profiles/standard.profile  |   3 +-
 ssg/constants.py                              |   2 +-
 6 files changed, 9 insertions(+), 384 deletions(-)
 delete mode 100644 build/.gitkeep
 delete mode 100644 products/bascontrol22d4/CMakeCache.txt

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 36cd03e1804b..4f66e2c03277 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -399,9 +399,9 @@ endif()
 if(SSG_PRODUCT_ANOLIS23)
     add_subdirectory("products/anolis23" "anolis23")
 endif()
-if(SSG_PRODUCT_BASCONTROL22D4)
-    add_subdirectory("products/bascontrol22d4" "bascontrol22d4")
-endif()
+#if(SSG_PRODUCT_BASCONTROL22D4)
+#    add_subdirectory("products/bascontrol22d4" "bascontrol22d4")
+#endif()
 if(SSG_PRODUCT_DEBIAN11)
     add_subdirectory("products/debian11" "debian11")
 endif()
diff --git a/build/.gitkeep b/build/.gitkeep
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/products/bascontrol22d4/CMakeCache.txt b/products/bascontrol22d4/CMakeCache.txt
deleted file mode 100644
index ee9244e33dc8..000000000000
--- a/products/bascontrol22d4/CMakeCache.txt
+++ /dev/null
@@ -1,374 +0,0 @@
-# This is the CMakeCache file.
-# For build in directory: /home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
-# It was generated by CMake: /usr/bin/cmake
-# You can edit this file to change values found and used by cmake.
-# If you do not want to change any of the values, simply exit the editor.
-# If you do want to change a value, simply edit, save, and exit the editor.
-# The syntax for the file is as follows:
-# KEY:TYPE=VALUE
-# KEY is the name of a variable in the cache.
-# TYPE is a hint to GUIs for the type of VALUE, DO NOT EDIT TYPE!.
-# VALUE is the current value for the KEY.
-
-########################
-# EXTERNAL cache entries
-########################
-
-//Path to a program.
-CMAKE_ADDR2LINE:FILEPATH=/usr/bin/addr2line
-
-//Path to a program.
-CMAKE_AR:FILEPATH=/usr/bin/ar
-
-//For backwards compatibility, what version of CMake commands and
-// syntax should this version of CMake try to support.
-CMAKE_BACKWARDS_COMPATIBILITY:STRING=2.4
-
-//Choose the type of build, options are: None Debug Release RelWithDebInfo
-// MinSizeRel ...
-CMAKE_BUILD_TYPE:STRING=
-
-//Enable/Disable color output during build.
-CMAKE_COLOR_MAKEFILE:BOOL=ON
-
-//CXX compiler
-CMAKE_CXX_COMPILER:FILEPATH=CMAKE_CXX_COMPILER-NOTFOUND
-
-//Flags used by the CXX compiler during all build types.
-CMAKE_CXX_FLAGS:STRING=
-
-//Flags used by the CXX compiler during DEBUG builds.
-CMAKE_CXX_FLAGS_DEBUG:STRING=
-
-//Flags used by the CXX compiler during MINSIZEREL builds.
-CMAKE_CXX_FLAGS_MINSIZEREL:STRING=
-
-//Flags used by the CXX compiler during RELEASE builds.
-CMAKE_CXX_FLAGS_RELEASE:STRING=
-
-//Flags used by the CXX compiler during RELWITHDEBINFO builds.
-CMAKE_CXX_FLAGS_RELWITHDEBINFO:STRING=
-
-//C compiler
-CMAKE_C_COMPILER:FILEPATH=/usr/bin/cc
-
-//A wrapper around 'ar' adding the appropriate '--plugin' option
-// for the GCC compiler
-CMAKE_C_COMPILER_AR:FILEPATH=/usr/bin/gcc-ar
-
-//A wrapper around 'ranlib' adding the appropriate '--plugin' option
-// for the GCC compiler
-CMAKE_C_COMPILER_RANLIB:FILEPATH=/usr/bin/gcc-ranlib
-
-//Flags used by the C compiler during all build types.
-CMAKE_C_FLAGS:STRING=
-
-//Flags used by the C compiler during DEBUG builds.
-CMAKE_C_FLAGS_DEBUG:STRING=-g
-
-//Flags used by the C compiler during MINSIZEREL builds.
-CMAKE_C_FLAGS_MINSIZEREL:STRING=-Os -DNDEBUG
-
-//Flags used by the C compiler during RELEASE builds.
-CMAKE_C_FLAGS_RELEASE:STRING=-O3 -DNDEBUG
-
-//Flags used by the C compiler during RELWITHDEBINFO builds.
-CMAKE_C_FLAGS_RELWITHDEBINFO:STRING=-O2 -g -DNDEBUG
-
-//Path to a program.
-CMAKE_DLLTOOL:FILEPATH=CMAKE_DLLTOOL-NOTFOUND
-
-//Flags used by the linker during all build types.
-CMAKE_EXE_LINKER_FLAGS:STRING=
-
-//Flags used by the linker during DEBUG builds.
-CMAKE_EXE_LINKER_FLAGS_DEBUG:STRING=
-
-//Flags used by the linker during MINSIZEREL builds.
-CMAKE_EXE_LINKER_FLAGS_MINSIZEREL:STRING=
-
-//Flags used by the linker during RELEASE builds.
-CMAKE_EXE_LINKER_FLAGS_RELEASE:STRING=
-
-//Flags used by the linker during RELWITHDEBINFO builds.
-CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO:STRING=
-
-//Enable/Disable output of compile commands during generation.
-CMAKE_EXPORT_COMPILE_COMMANDS:BOOL=
-
-//Value Computed by CMake.
-CMAKE_FIND_PACKAGE_REDIRECTS_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4/CMakeFiles/pkgRedirects
-
-//Install path prefix, prepended onto install directories.
-CMAKE_INSTALL_PREFIX:PATH=/usr/local
-
-//Path to a program.
-CMAKE_LINKER:FILEPATH=/usr/bin/ld
-
-//Path to a program.
-CMAKE_MAKE_PROGRAM:FILEPATH=/usr/bin/gmake
-
-//Flags used by the linker during the creation of modules during
-// all build types.
-CMAKE_MODULE_LINKER_FLAGS:STRING=
-
-//Flags used by the linker during the creation of modules during
-// DEBUG builds.
-CMAKE_MODULE_LINKER_FLAGS_DEBUG:STRING=
-
-//Flags used by the linker during the creation of modules during
-// MINSIZEREL builds.
-CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL:STRING=
-
-//Flags used by the linker during the creation of modules during
-// RELEASE builds.
-CMAKE_MODULE_LINKER_FLAGS_RELEASE:STRING=
-
-//Flags used by the linker during the creation of modules during
-// RELWITHDEBINFO builds.
-CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO:STRING=
-
-//Path to a program.
-CMAKE_NM:FILEPATH=/usr/bin/nm
-
-//Path to a program.
-CMAKE_OBJCOPY:FILEPATH=/usr/bin/objcopy
-
-//Path to a program.
-CMAKE_OBJDUMP:FILEPATH=/usr/bin/objdump
-
-//Value Computed by CMake
-CMAKE_PROJECT_DESCRIPTION:STATIC=
-
-//Value Computed by CMake
-CMAKE_PROJECT_HOMEPAGE_URL:STATIC=
-
-//Value Computed by CMake
-CMAKE_PROJECT_NAME:STATIC=Project
-
-//Path to a program.
-CMAKE_RANLIB:FILEPATH=/usr/bin/ranlib
-
-//Path to a program.
-CMAKE_READELF:FILEPATH=/usr/bin/readelf
-
-//Flags used by the linker during the creation of shared libraries
-// during all build types.
-CMAKE_SHARED_LINKER_FLAGS:STRING=
-
-//Flags used by the linker during the creation of shared libraries
-// during DEBUG builds.
-CMAKE_SHARED_LINKER_FLAGS_DEBUG:STRING=
-
-//Flags used by the linker during the creation of shared libraries
-// during MINSIZEREL builds.
-CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL:STRING=
-
-//Flags used by the linker during the creation of shared libraries
-// during RELEASE builds.
-CMAKE_SHARED_LINKER_FLAGS_RELEASE:STRING=
-
-//Flags used by the linker during the creation of shared libraries
-// during RELWITHDEBINFO builds.
-CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO:STRING=
-
-//If set, runtime paths are not added when installing shared libraries,
-// but are added when building.
-CMAKE_SKIP_INSTALL_RPATH:BOOL=NO
-
-//If set, runtime paths are not added when using shared libraries.
-CMAKE_SKIP_RPATH:BOOL=NO
-
-//Flags used by the linker during the creation of static libraries
-// during all build types.
-CMAKE_STATIC_LINKER_FLAGS:STRING=
-
-//Flags used by the linker during the creation of static libraries
-// during DEBUG builds.
-CMAKE_STATIC_LINKER_FLAGS_DEBUG:STRING=
-
-//Flags used by the linker during the creation of static libraries
-// during MINSIZEREL builds.
-CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL:STRING=
-
-//Flags used by the linker during the creation of static libraries
-// during RELEASE builds.
-CMAKE_STATIC_LINKER_FLAGS_RELEASE:STRING=
-
-//Flags used by the linker during the creation of static libraries
-// during RELWITHDEBINFO builds.
-CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO:STRING=
-
-//Path to a program.
-CMAKE_STRIP:FILEPATH=/usr/bin/strip
-
-//If this value is on, makefiles will be generated without the
-// .SILENT directive, and all commands will be echoed to the console
-// during the make.  This is useful for debugging only. With Visual
-// Studio IDE projects all commands are done without /nologo.
-CMAKE_VERBOSE_MAKEFILE:BOOL=FALSE
-
-//Single output directory for building all executables.
-EXECUTABLE_OUTPUT_PATH:PATH=
-
-//Single output directory for building all libraries.
-LIBRARY_OUTPUT_PATH:PATH=
-
-//Value Computed by CMake
-Project_BINARY_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
-
-//Value Computed by CMake
-Project_IS_TOP_LEVEL:STATIC=ON
-
-//Value Computed by CMake
-Project_SOURCE_DIR:STATIC=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
-
-
-########################
-# INTERNAL cache entries
-########################
-
-//ADVANCED property for variable: CMAKE_ADDR2LINE
-CMAKE_ADDR2LINE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_AR
-CMAKE_AR-ADVANCED:INTERNAL=1
-//This is the directory where this CMakeCache.txt was created
-CMAKE_CACHEFILE_DIR:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
-//Major version of cmake used to create the current loaded cache
-CMAKE_CACHE_MAJOR_VERSION:INTERNAL=3
-//Minor version of cmake used to create the current loaded cache
-CMAKE_CACHE_MINOR_VERSION:INTERNAL=26
-//Patch version of cmake used to create the current loaded cache
-CMAKE_CACHE_PATCH_VERSION:INTERNAL=3
-//ADVANCED property for variable: CMAKE_COLOR_MAKEFILE
-CMAKE_COLOR_MAKEFILE-ADVANCED:INTERNAL=1
-//Path to CMake executable.
-CMAKE_COMMAND:INTERNAL=/usr/bin/cmake
-//Path to cpack program executable.
-CMAKE_CPACK_COMMAND:INTERNAL=/usr/bin/cpack
-//Path to ctest program executable.
-CMAKE_CTEST_COMMAND:INTERNAL=/usr/bin/ctest
-//ADVANCED property for variable: CMAKE_CXX_COMPILER
-CMAKE_CXX_COMPILER-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_CXX_FLAGS
-CMAKE_CXX_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_CXX_FLAGS_DEBUG
-CMAKE_CXX_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_CXX_FLAGS_MINSIZEREL
-CMAKE_CXX_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELEASE
-CMAKE_CXX_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_CXX_FLAGS_RELWITHDEBINFO
-CMAKE_CXX_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_COMPILER
-CMAKE_C_COMPILER-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_COMPILER_AR
-CMAKE_C_COMPILER_AR-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_COMPILER_RANLIB
-CMAKE_C_COMPILER_RANLIB-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_FLAGS
-CMAKE_C_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_FLAGS_DEBUG
-CMAKE_C_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_FLAGS_MINSIZEREL
-CMAKE_C_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_FLAGS_RELEASE
-CMAKE_C_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_C_FLAGS_RELWITHDEBINFO
-CMAKE_C_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_DLLTOOL
-CMAKE_DLLTOOL-ADVANCED:INTERNAL=1
-//Path to cache edit program executable.
-CMAKE_EDIT_COMMAND:INTERNAL=/usr/bin/ccmake
-//Executable file format
-CMAKE_EXECUTABLE_FORMAT:INTERNAL=ELF
-//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS
-CMAKE_EXE_LINKER_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_DEBUG
-CMAKE_EXE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_MINSIZEREL
-CMAKE_EXE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELEASE
-CMAKE_EXE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
-CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_EXPORT_COMPILE_COMMANDS
-CMAKE_EXPORT_COMPILE_COMMANDS-ADVANCED:INTERNAL=1
-//Name of external makefile project generator.
-CMAKE_EXTRA_GENERATOR:INTERNAL=
-//Name of generator.
-CMAKE_GENERATOR:INTERNAL=Unix Makefiles
-//Generator instance identifier.
-CMAKE_GENERATOR_INSTANCE:INTERNAL=
-//Name of generator platform.
-CMAKE_GENERATOR_PLATFORM:INTERNAL=
-//Name of generator toolset.
-CMAKE_GENERATOR_TOOLSET:INTERNAL=
-//Source directory with the top level CMakeLists.txt file for this
-// project
-CMAKE_HOME_DIRECTORY:INTERNAL=/home/parallels/compliance_as_code/content-cealcorn/products/bascontrol22d4
-//Install .so files without execute permission.
-CMAKE_INSTALL_SO_NO_EXE:INTERNAL=0
-//ADVANCED property for variable: CMAKE_LINKER
-CMAKE_LINKER-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MAKE_PROGRAM
-CMAKE_MAKE_PROGRAM-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS
-CMAKE_MODULE_LINKER_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_DEBUG
-CMAKE_MODULE_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL
-CMAKE_MODULE_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELEASE
-CMAKE_MODULE_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO
-CMAKE_MODULE_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_NM
-CMAKE_NM-ADVANCED:INTERNAL=1
-//number of local generators
-CMAKE_NUMBER_OF_MAKEFILES:INTERNAL=1
-//ADVANCED property for variable: CMAKE_OBJCOPY
-CMAKE_OBJCOPY-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_OBJDUMP
-CMAKE_OBJDUMP-ADVANCED:INTERNAL=1
-//Platform information initialized
-CMAKE_PLATFORM_INFO_INITIALIZED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_RANLIB
-CMAKE_RANLIB-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_READELF
-CMAKE_READELF-ADVANCED:INTERNAL=1
-//Path to CMake installation.
-CMAKE_ROOT:INTERNAL=/usr/share/cmake
-//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS
-CMAKE_SHARED_LINKER_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_DEBUG
-CMAKE_SHARED_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL
-CMAKE_SHARED_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELEASE
-CMAKE_SHARED_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
-CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SKIP_INSTALL_RPATH
-CMAKE_SKIP_INSTALL_RPATH-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_SKIP_RPATH
-CMAKE_SKIP_RPATH-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS
-CMAKE_STATIC_LINKER_FLAGS-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_DEBUG
-CMAKE_STATIC_LINKER_FLAGS_DEBUG-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL
-CMAKE_STATIC_LINKER_FLAGS_MINSIZEREL-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELEASE
-CMAKE_STATIC_LINKER_FLAGS_RELEASE-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO
-CMAKE_STATIC_LINKER_FLAGS_RELWITHDEBINFO-ADVANCED:INTERNAL=1
-//ADVANCED property for variable: CMAKE_STRIP
-CMAKE_STRIP-ADVANCED:INTERNAL=1
-//uname command
-CMAKE_UNAME:INTERNAL=/usr/bin/uname
-//ADVANCED property for variable: CMAKE_VERBOSE_MAKEFILE
-CMAKE_VERBOSE_MAKEFILE-ADVANCED:INTERNAL=1
-//linker supports push/pop state
-_CMAKE_LINKER_PUSHPOP_STATE_SUPPORTED:INTERNAL=TRUE
-
diff --git a/products/bascontrol22d4/product.yml b/products/bascontrol22d4/product.yml
index f0acfc6162dd..16fa4d0d30ba 100644
--- a/products/bascontrol22d4/product.yml
+++ b/products/bascontrol22d4/product.yml
@@ -11,7 +11,7 @@ profiles_root: "./profiles"
 
 cpes_root: "../../shared/applicability"
 cpes:
-  bascontrol22d4:
-    name: "cpe:/o:bascontrol22d:4"
-    title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4"
-    check_id: installed_app_is_bascontrol22d4
+  - bascontrol22d4:
+      name: "cpe:/a:bascontrol22d:4"
+      title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4"
+      check_id: installed_app_is_bascontrol22d4
diff --git a/products/bascontrol22d4/profiles/standard.profile b/products/bascontrol22d4/profiles/standard.profile
index 1cc540965a81..452bbd66ea13 100644
--- a/products/bascontrol22d4/profiles/standard.profile
+++ b/products/bascontrol22d4/profiles/standard.profile
@@ -6,5 +6,4 @@ description: |-
     This profile contains rules to ensure standard security baseline
     of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system.
 
-selections:
-    - firefox_policy-addons_permission
+#selections:
diff --git a/ssg/constants.py b/ssg/constants.py
index c9c1d83d3c9f..fcac3b80bbcf 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -214,7 +214,7 @@
     "Anolis OS 8": "anolis8",
     "Anolis OS 23": "anolis23",
     "Amazon Linux 2023": "al2023",
-    "Contemporary Controls BAScontrol22D 4": "bascontrol33d4",
+    "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4": "bascontrol22d4",
     "Debian 11": "debian11",
     "Debian 12": "debian12",
     "Debian 13": "debian13",

From 42533ae10b903f4b2b03a16da001a85ac70082f4 Mon Sep 17 00:00:00 2001
From: cealcorn 
Date: Wed, 11 Feb 2026 05:30:28 -0800
Subject: [PATCH 265/265] add benchmark

---
 products/bascontrol22d4/guide/benchmark.yml | 54 +++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 products/bascontrol22d4/guide/benchmark.yml

diff --git a/products/bascontrol22d4/guide/benchmark.yml b/products/bascontrol22d4/guide/benchmark.yml
new file mode 100644
index 000000000000..f875507f9b5a
--- /dev/null
+++ b/products/bascontrol22d4/guide/benchmark.yml
@@ -0,0 +1,54 @@
+---
+documentation_complete: true
+
+title: Guide to the Secure Configuration of {{{ full_name }}}
+
+status: draft
+
+description: |
+    This guide presents a catalog of security-relevant
+    configuration settings for {{{ full_name }}}. It is a rendering of
+    content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
+    in order to support security automation.  The SCAP content is
+    is available in the scap-security-guide package which is developed at
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
+    


+    Providing system administrators with such guidance informs them how to securely
+    configure systems under their control in a variety of network roles. Policy
+    makers and baseline creators can use this catalog of settings, with its
+    associated references to higher-level security control catalogs, in order to
+    assist them in security baseline creation. This guide is a catalog, not a
+    checklist, and satisfaction of every item is not likely to be possible or
+    sensible in many operational scenarios. However, the XCCDF format enables
+    granular selection and adjustment of settings, and their association with OVAL
+    and OCIL content provides an automated checking capability. Transformations of
+    this document, and its associated automated checking content, are capable of
+    providing baselines that meet a diverse set of policy objectives. Some example
+    XCCDF Profiles, which are selections of items that form checklists and
+    can be used as baselines, are available with this guide. They can be
+    processed, in an automated fashion, with tools that support the Security
+    Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}},
+    which provides required settings for US Department of Defense systems, is
+    one example of a baseline created from this guidance.
+
+notice:
+    id: terms_of_use
+    description: |
+        Do not attempt to implement any of the settings in
+        this guide without first testing them in a non-operational environment. The
+        creators of this guidance assume no responsibility whatsoever for its use by
+        other parties, and makes no guarantees, expressed or implied, about its
+        quality, reliability, or any other characteristic.
+
+front-matter: |
+    # BASCONSTROL22D-$ Benchmark
+    The SCAP Security Guide Project

+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
+
+rear-matter: |
+    Red Hat and Red Hat Enterprise Linux are either registered
+    trademarks or trademarks of Red Hat, Inc. in the United States and other
+    countries. All other names are registered trademarks or trademarks of their
+    respective companies.
+
+version: 0.9