From a72b4fe22bbe1ac8eebe6a6a4f364e374c5391af Mon Sep 17 00:00:00 2001 From: Renbo Date: Mon, 30 Jan 2023 11:49:05 +0800 Subject: [PATCH 1/3] update to scap-security-guide-0.1.63-4.el8 Signed-off-by: Renbo --- disable-not-in-good-shape-profiles.patch | 34 +- dist | 2 +- download | 2 +- ...form_for_partition_existence-PR_9204.patch | 176 +- ..._partition_platform_to_rules-PR_9324.patch | 26 +- ...nsible_partition_conditional-PR_9339.patch | 46 +- ...4-fix_enable_fips_mode_s390x-PR_9355.patch | 33 + ...-0.1.64-fix_sudoers_defaults-PR_9299.patch | 107 + ...handling_of_rsyslog_includes-PR_9326.patch | 967 +++ ....1.64-ospp_autselect_minimal-PR_9298.patch | 80 +- ...4-ospp_grub_disable_recovery-PR_9321.patch | 49 +- ...urity-guide-0.1.64-stig_aide-PR_9282.patch | 27 +- ...ide-0.1.64-stig_bump_version-PR_9276.patch | 6609 +++++++++-------- ...-0.1.64-stig_ipv4_forwarding-PR_9277.patch | 73 +- ...-0.1.64-stig_readd_ssh_rules-PR_9318.patch | 25 +- ...0.1.64-stig_sudoers_includes-PR_9283.patch | 49 +- ...stig_sysctl_multivalue_rules-PR_9286.patch | 364 +- ...4-sysctl_template_multivalue-PR_9147.patch | 1871 ++++- ...s_for_rsyslog_remote_loghost-PR_9305.patch | 92 + ...-0.1.65-supports_anolis_os_8-PR_9770.patch | 2957 -------- scap-security-guide.spec | 112 +- 21 files changed, 6609 insertions(+), 7092 deletions(-) rename scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch => scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch (58%) rename scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path => scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch (85%) create mode 100644 scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch create mode 100644 scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch create mode 100644 scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch rename scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch => scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch (62%) rename scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch => scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch (53%) rename scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch => scap-security-guide-0.1.64-stig_aide-PR_9282.patch (90%) rename scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch => scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch (99%) rename scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch => scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch (83%) rename scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch => scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch (85%) rename scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch => scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch (74%) rename scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch => scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch (55%) rename scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch => scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch (41%) create mode 100644 scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch delete mode 100644 scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch diff --git a/disable-not-in-good-shape-profiles.patch b/disable-not-in-good-shape-profiles.patch index 047c3fd..655c558 100644 --- a/disable-not-in-good-shape-profiles.patch +++ b/disable-not-in-good-shape-profiles.patch @@ -1,24 +1,8 @@ -From eaa73e6d6e3de62e9ed895de7b4b1f2f1c1280ca Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 9 Aug 2022 10:04:01 +0200 -Subject: [PATCH 1/8] Disable profiles not in a good shape - -Patch-name: disable-not-in-good-shape-profiles.patch -Patch-status: |- - Disable profiles that are not in good shape for products/rhel8 -Patch-id: 0 ---- - products/rhel8/CMakeLists.txt | 1 - - products/rhel8/profiles/cjis.profile | 2 +- - products/rhel8/profiles/rht-ccp.profile | 2 +- - products/rhel8/profiles/standard.profile | 2 +- - 4 files changed, 3 insertions(+), 4 deletions(-) - diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt -index 9c044b68ab..8f6ca03de8 100644 +index 5258591c7f..cc4b9c5720 100644 --- a/products/rhel8/CMakeLists.txt +++ b/products/rhel8/CMakeLists.txt -@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT}) +@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT}) ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss") ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist") @@ -26,8 +10,8 @@ index 9c044b68ab..8f6ca03de8 100644 ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") -diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 30843b692e..18394802b9 100644 +diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 035d2705b..c6475f33e 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -36,8 +20,8 @@ index 30843b692e..18394802b9 100644 metadata: version: 5.4 -diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index e8e7e3a72f..d293c779bb 100644 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index c84579592..164ec98c4 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -46,8 +30,8 @@ index e8e7e3a72f..d293c779bb 100644 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' -diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile -index a63ae2cf32..da669bb843 100644 +diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 --- a/products/rhel8/profiles/standard.profile +++ b/products/rhel8/profiles/standard.profile @@ -1,4 +1,4 @@ @@ -57,5 +41,5 @@ index a63ae2cf32..da669bb843 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.37.1 +2.26.2 diff --git a/dist b/dist index 0ee7539..9c0e36e 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8 diff --git a/download b/download index 6576254..7be4e82 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -c9923cb0a1865045fb5bbba5f0581c15 scap-security-guide-0.1.63.tar.bz2 219c992603514558e5f6f3d29adaa534 scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +c9923cb0a1865045fb5bbba5f0581c15 scap-security-guide-0.1.63.tar.bz2 diff --git a/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch b/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch similarity index 58% rename from scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch rename to scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch index 5c50f9c..ac3b3a6 100644 --- a/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch +++ b/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch @@ -1,52 +1,21 @@ -From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Wed, 10 Aug 2022 13:20:29 +0200 -Subject: [PATCH 11/12] Merge pull request #9204 from - matejak/applicability_var_tmp +From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Thu, 21 Jul 2022 16:42:41 +0200 +Subject: [PATCH 1/3] Add platforms for partition existence -Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch -Patch-status: Introduce and apply the "partition exists" platform --- - .../mount_option_var_tmp_nodev/rule.yml | 3 ++- - .../tests/notapplicable.pass.sh | 5 +++++ shared/applicability/general.yml | 14 +++++++++++++ - .../checks/oval/installed_env_mounts_tmp.xml | 10 ++++++++++ - .../oval/installed_env_mounts_var_tmp.xml | 10 ++++++++++ + .../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++ + .../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++ shared/macros/10-ansible.jinja | 5 +++++ shared/macros/10-bash.jinja | 5 +++++ - shared/macros/10-oval.jinja | 20 +++++++++++++++++++ - 8 files changed, 71 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh + shared/macros/10-oval.jinja | 21 +++++++++++++++++++ + 6 files changed, 65 insertions(+) create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -index 8ee8c8b12e..741d097328 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -@@ -38,7 +38,8 @@ references: - stigid@ol8: OL08-00-040132 - stigid@rhel8: RHEL-08-040132 - --platform: machine -+platforms: -+ - machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -new file mode 100644 -index 0000000000..241c0103d8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+. $SHARED/partition.sh -+ -+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml -index 2d23d75314..e2f5d04ce0 100644 +index 2d23d753148..e2f5d04ce00 100644 --- a/shared/applicability/general.yml +++ b/shared/applicability/general.yml @@ -77,6 +77,20 @@ cpes: @@ -72,7 +41,7 @@ index 2d23d75314..e2f5d04ce0 100644 title: "Package polkit is installed" diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml new file mode 100644 -index 0000000000..edd8ad050f +index 00000000000..c1bcd6b2431 --- /dev/null +++ b/shared/checks/oval/installed_env_mounts_tmp.xml @@ -0,0 +1,10 @@ @@ -84,11 +53,11 @@ index 0000000000..edd8ad050f + + + -+ {{{ partition_exists_test_object("/tmp") }}} ++ {{{ partition_exists_tos("/tmp") }}} + diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml new file mode 100644 -index 0000000000..cf9aafbdb0 +index 00000000000..a72f49c8a8f --- /dev/null +++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml @@ -0,0 +1,10 @@ @@ -100,13 +69,13 @@ index 0000000000..cf9aafbdb0 + + + -+ {{{ partition_exists_test_object("/var/tmp") }}} ++ {{{ partition_exists_tos("/var/tmp") }}} + diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 20dc2020e4..5e40fe4aa2 100644 +index 2d24f730d3f..478f0072bc7 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja -@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template. +@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template. when: - result_pam_file_present.stat.exists {{%- endmacro -%}} @@ -116,10 +85,10 @@ index 20dc2020e4..5e40fe4aa2 100644 +"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" +{{%- endmacro -%}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja -index 41d9e18a1e..b0f7f3cf4a 100644 +index 94c3c6f9570..6a7fb165fd2 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja -@@ -2073,3 +2073,8 @@ else +@@ -2085,3 +2085,8 @@ else echo "{{{ pam_file }}} was not found" >&2 fi {{%- endmacro -%}} @@ -129,33 +98,130 @@ index 41d9e18a1e..b0f7f3cf4a 100644 +'findmnt --mountpoint "{{{ path }}}" > /dev/null' +{{%- endmacro -%}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja -index c8d7bbeffb..f302091f7d 100644 +index c8d7bbeffb7..1ec93b6ef7d 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja -@@ -926,3 +926,23 @@ Generates the :code:`` tag for OVAL check using correct product platfo +@@ -926,3 +926,24 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- else %}} {{%- set user_list="nobody" %}} {{%- endif %}} + + +{{%- macro partition_exists_criterion(path) %}} -+{{%- set escaped_path = path | escape_id %}} ++{{%- set escaped_path = path | replace("/", "_") %}} + +{{%- endmacro %}} + -+{{%- macro partition_exists_test_object(path) %}} -+{{%- set escaped_path = path | escape_id %}} ++{{%- macro partition_exists_tos(path) %}} ++{{%- set escaped_path = path | replace("/", "_") %}} + + ++ {{#- #}} + + + + {{{ path }}} + +{{%- endmacro %}} --- -2.37.1 +From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Thu, 21 Jul 2022 16:43:21 +0200 +Subject: [PATCH 2/3] Use partition exist platforms on a real rule + +--- + .../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++- + .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +index 8ee8c8b12e0..741d0973283 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +@@ -38,7 +38,8 @@ references: + stigid@ol8: OL08-00-040132 + stigid@rhel8: RHEL-08-040132 + +-platform: machine ++platforms: ++ - machine and partition-var-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh +new file mode 100644 +index 00000000000..241c0103d82 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++clean_up_partition /var/tmp # Remove the partition from the system, and unmount it + +From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 10 Aug 2022 11:32:38 +0200 +Subject: [PATCH 3/3] Improve code style + +- Improve description of OVAL macro +- Use the escape_id filter to produce IDs +--- + shared/checks/oval/installed_env_mounts_tmp.xml | 2 +- + shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +- + shared/macros/10-oval.jinja | 7 +++---- + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml +index c1bcd6b2431..edd8ad050f5 100644 +--- a/shared/checks/oval/installed_env_mounts_tmp.xml ++++ b/shared/checks/oval/installed_env_mounts_tmp.xml +@@ -6,5 +6,5 @@ + + + +- {{{ partition_exists_tos("/tmp") }}} ++ {{{ partition_exists_test_object("/tmp") }}} + +diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml +index a72f49c8a8f..cf9aafbdb04 100644 +--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml ++++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml +@@ -6,5 +6,5 @@ + + + +- {{{ partition_exists_tos("/var/tmp") }}} ++ {{{ partition_exists_test_object("/var/tmp") }}} + +diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja +index 1ec93b6ef7d..f302091f7df 100644 +--- a/shared/macros/10-oval.jinja ++++ b/shared/macros/10-oval.jinja +@@ -929,18 +929,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo + + + {{%- macro partition_exists_criterion(path) %}} +-{{%- set escaped_path = path | replace("/", "_") %}} ++{{%- set escaped_path = path | escape_id %}} + + {{%- endmacro %}} + +-{{%- macro partition_exists_tos(path) %}} +-{{%- set escaped_path = path | replace("/", "_") %}} ++{{%- macro partition_exists_test_object(path) %}} ++{{%- set escaped_path = path | escape_id %}} + + +- {{#- #}} + + + diff --git a/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path b/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch similarity index 85% rename from scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path rename to scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch index df6ca5e..1d5854e 100644 --- a/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path +++ b/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch @@ -1,11 +1,8 @@ -From 89687cb88490f24428ae553021c667303980d8f4 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Wed, 10 Aug 2022 16:16:54 +0200 -Subject: [PATCH 12/12] Merge pull request #9324 from - matejak/applicability_var_tmp +From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 10 Aug 2022 13:35:50 +0200 +Subject: [PATCH] Add the platform applicability to relevant rules -Patch-name: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path -Patch-status: Add the platform applicability to relevant rules --- .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- @@ -16,7 +13,7 @@ Patch-status: Add the platform applicability to relevant rules 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -index 45a73e0286..79a19a8d30 100644 +index 45a73e0286a..79a19a8d30b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -45,7 +45,7 @@ references: @@ -29,7 +26,7 @@ index 45a73e0286..79a19a8d30 100644 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -index 7356183bab..d3f6d6175e 100644 +index 7356183bab3..d3f6d6175e5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -44,7 +44,7 @@ references: @@ -42,7 +39,7 @@ index 7356183bab..d3f6d6175e 100644 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -index d153b86934..10790dc95a 100644 +index d153b86934f..10790dc95a7 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -45,7 +45,7 @@ references: @@ -55,7 +52,7 @@ index d153b86934..10790dc95a 100644 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -index 133e7727ca..05992df4b4 100644 +index 133e7727ca7..05992df4b49 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml @@ -31,7 +31,7 @@ references: @@ -68,7 +65,7 @@ index 133e7727ca..05992df4b4 100644 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -index 39fd458ec6..dc00b2f237 100644 +index 39fd458ec6b..dc00b2f2376 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -38,7 +38,7 @@ references: @@ -81,7 +78,7 @@ index 39fd458ec6..dc00b2f237 100644 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -index 349f334895..f0c26b6d9c 100644 +index 349f3348955..f0c26b6d9c5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -38,7 +38,7 @@ references: @@ -93,6 +90,3 @@ index 349f334895..f0c26b6d9c 100644 template: name: mount_option --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch b/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch index bf1757f..8da44fd 100644 --- a/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch +++ b/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch @@ -1,26 +1,48 @@ -From 7db8ad5f312b632d6b8a176b615929ffa5cb1de3 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 15 Aug 2022 14:47:40 +0200 -Subject: [PATCH 13/13] Merge pull request #9339 from - yuumasato/fix_ansible_partition_conditionals +From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 15 Aug 2022 13:14:58 +0200 +Subject: [PATCH 1/2] Access the mounts via ansible_mounts -Patch-name: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch -Patch-status: Fix ansible partition conditionals +It seems that the data about ansible_mounts should be accessed without +the 'ansible_facts' prefix. --- shared/macros/10-ansible.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 5e40fe4aa2..55a78c3a8b 100644 +index 478f0072bc7..e8bff0973f5 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja -@@ -1435,5 +1435,5 @@ Part of the grub2_bootloader_argument_absent template. +@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. {{%- macro ansible_partition_conditional(path) -%}} -"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' ++"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" {{%- endmacro -%}} --- -2.37.2 +From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 15 Aug 2022 13:16:24 +0200 +Subject: [PATCH 2/2] Avoid use of json_query and additional dependency + +The json_query filter requires package jmespath to be installed. + +This also avoids mismatchs in python version between ansible and +python3-jmespath. Some distros (RHEL8) don't have jmespath module +available for the same python version ansible is using. +--- + shared/macros/10-ansible.jinja | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja +index e8bff0973f5..beb2bc11403 100644 +--- a/shared/macros/10-ansible.jinja ++++ b/shared/macros/10-ansible.jinja +@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. + + + {{%- macro ansible_partition_conditional(path) -%}} +-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" ++'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' + {{%- endmacro -%}} diff --git a/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch b/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch new file mode 100644 index 0000000..e5132c3 --- /dev/null +++ b/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch @@ -0,0 +1,33 @@ +From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 16 Aug 2022 18:53:02 +0200 +Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x + +There is no need to check /etc/grubenv for fips=1 on s390x systems, it +uses zIPL. +--- + .../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 65056a654c6..7af675de0d3 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -7,9 +7,16 @@ + + + +- {{% if product in ["ol8","rhel8"] %}} ++ {{% if product in ["ol8"] %}} + ++ {{% elif product in ["rhel8"] %}} ++ ++ ++ ++ + {{% endif %}} + + diff --git a/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch b/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch new file mode 100644 index 0000000..dd18148 --- /dev/null +++ b/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch @@ -0,0 +1,107 @@ +From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 5 Aug 2022 12:45:24 +0200 +Subject: [PATCH] Fix rule sudo_custom_logfile + +- Allow only white space after the Default keyword to avoid + matching words that only start with Default. +- If the variable value contains slashes they need to be escaped + because the sed command uses slashes as a separator, otherwise + the sed doesn't replace the wrong line during a remediation. + +Also adds 2 test scenarios. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109 +--- + .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- + .../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++ + .../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++ + shared/templates/sudo_defaults_option/ansible.template | 2 +- + shared/templates/sudo_defaults_option/bash.template | 5 +++-- + shared/templates/sudo_defaults_option/oval.template | 2 +- + 6 files changed, 14 insertions(+), 5 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index 739f5f14936..94fbaaa33ed 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo' + + ocil: |- + To determine if logfile has been configured for sudo, run the following command: +- 
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
++ 
$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
+ The command should return a matching output. + + template: +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh +new file mode 100644 +index 00000000000..13ff4559edb +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh +new file mode 100644 +index 00000000000..ec24854f0f9 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers +diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template +index 094fa430b64..c9e344ec772 100644 +--- a/shared/templates/sudo_defaults_option/ansible.template ++++ b/shared/templates/sudo_defaults_option/ansible.template +@@ -8,7 +8,7 @@ + - name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers + lineinfile: + path: /etc/sudoers +- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$' ++ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$' + line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2' + validate: /usr/sbin/visudo -cf %s + backrefs: yes +diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template +index e3563d42db6..e7d962a668d 100644 +--- a/shared/templates/sudo_defaults_option/bash.template ++++ b/shared/templates/sudo_defaults_option/bash.template +@@ -9,7 +9,7 @@ + {{% endif %}} + if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak +- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then ++ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option {{{ OPTION }}} + echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers + {{%- if not VARIABLE_NAME %}} +@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then + {{% if '/' in OPTION %}} + {{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}} + {{% endif %}} +- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers ++ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}} ++ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + {{% endif %}} +diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template +index c0d81c95093..a9636a7204a 100644 +--- a/shared/templates/sudo_defaults_option/oval.template ++++ b/shared/templates/sudo_defaults_option/oval.template +@@ -13,7 +13,7 @@ + + + ^/etc/sudoers(|\.d/.*)$ +- ^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$ ++ ^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$ + 1 + + diff --git a/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch b/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch new file mode 100644 index 0000000..9c0ff1e --- /dev/null +++ b/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch @@ -0,0 +1,967 @@ +From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Wed, 13 Apr 2022 20:06:18 +0800 +Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard + +This patch fixes the issue that the array is expanded to wildcard path instead of its elements. +A simple test case as follows: + + /etc/rsyslog.conf + include(file="/etc/rsyslog.d/*.conf" mode="optional") + + /etc/rsyslog.d/custom1.conf + local1.* /tmp/local1.out + + /etc/rsyslog.d/custom2.conf + local2.* /tmp/local2.out +--- + .../rsyslog_files_permissions/bash/shared.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index b794ea8db31..02b0c36d899 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -5,8 +5,8 @@ + RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) +-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) ++readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Thu, 14 Apr 2022 15:58:04 +0800 +Subject: [PATCH 02/15] A better fix. + + * Should also fixed the CI failure. +--- + .../rsyslog_files_permissions/bash/shared.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 02b0c36d899..1aebb8f9da5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -5,8 +5,10 @@ + RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) +-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) +-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) ++readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 15 Apr 2022 10:47:37 +0800 +Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog + +--- + .../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++ + .../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++ + 2 files changed, 113 insertions(+) + create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh + create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +new file mode 100755 +index 00000000000..7cb09128d78 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -0,0 +1,56 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Check rsyslog.conf with log file permissions 0600 from rules and ++# log file permissions 0600 from $IncludeConfig passes. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS=0600 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++mkdir ${conf_subdir} ++test_subdir_conf=${conf_subdir}/test_subdir.conf ++test_conf=${RSYSLOG_TEST_DIR}/test.conf ++cat << EOF > ${test_subdir_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++ ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +new file mode 100755 +index 00000000000..942eaf086a1 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -0,0 +1,57 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++ ++# Check rsyslog.conf with log file permissions 0600 from rules and ++# log file permissions 0601 from $IncludeConfig fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++mkdir ${conf_subdir} ++test_subdir_conf=${conf_subdir}/test_subdir.conf ++test_conf=${RSYSLOG_TEST_DIR}/test.conf ++cat << EOF > ${test_subdir_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++ ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++ ++EOF + +From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Thu, 19 May 2022 01:22:19 +0800 +Subject: [PATCH 04/15] The way using 'find' can be retired. + +--- + .../rsyslog_files_permissions/bash/shared.sh | 20 +++++-------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 1aebb8f9da5..cece5930ee8 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +-RSYSLOG_CONFIGS=() +-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++declare -a RSYSLOG_CONFIGS ++RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +-# Get full list of files to be checked +-# RSYSLOG_CONFIGS may contain globs such as +-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule +-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. +-RSYSLOG_FILES=() +-for ENTRY in "${RSYSLOG_CONFIGS[@]}" +-do +- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")") +- RSYSLOG_FILES+=("${FINDOUT[@]}") +-done +- +-# Check file and fix if needed. +-for LOG_FILE in "${RSYSLOG_FILES[@]}" ++# Browse each file selected above as containing paths of log files ++# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) ++for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 01:30:37 +0800 +Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/' + +--- + .../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index cece5930ee8..50d36d7426f 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + ++# Array to hold all rsyslog config entries + declare -a RSYSLOG_CONFIGS + RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + ++# Array to hold all rsyslog config files ++declare -a RSYSLOG_CONFIG_FILES ++for ENTRY in "${RSYSLOG_CONFIGS[@]}" ++do ++ # If directory, need to include files recursively ++ if [ -d "${ENTRY}" ] ++ then ++ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') ++ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") ++ elif [ -f "${ENTRY}" ] ++ then ++ RSYSLOG_CONFIG_FILES+=("${ENTRY}") ++ else ++ echo "Invalid include object: ${ENTRY}" ++ fi ++done ++ + # Browse each file selected above as containing paths of log files + # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 01:46:33 +0800 +Subject: [PATCH 06/15] Update test files. + +--- + .../tests/include_config_syntax_perms_0600.pass.sh | 2 ++ + .../tests/include_config_syntax_perms_0601.fail.sh | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 7cb09128d78..2ddd9fcb697 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF + + include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") + include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}" mode="optional") + + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR} + + EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 942eaf086a1..73ff3332c6d 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF + + include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") + include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}" mode="optional") + + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR} + + EOF + +From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 10:03:32 +0800 +Subject: [PATCH 07/15] Rsyslog says we should include all files + +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + .../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++- + .../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++- + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 50d36d7426f..cd5014105e9 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -24,7 +24,7 @@ do + # If directory, need to include files recursively + if [ -d "${ENTRY}" ] + then +- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') ++ readarray -t FINDOUT < <(find "${ENTRY}" -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 2ddd9fcb697..755865ca522 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh + PERMS=0600 + + # setup test data +-create_rsyslog_test_logs 3 ++create_rsyslog_test_logs 4 + + # setup test log files and permissions + chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} + + # create test configuration file + conf_subdir=${RSYSLOG_TEST_DIR}/subdir + mkdir ${conf_subdir} + test_subdir_conf=${conf_subdir}/test_subdir.conf + test_conf=${RSYSLOG_TEST_DIR}/test.conf ++test_bak=${RSYSLOG_TEST_DIR}/test.bak ++ + cat << EOF > ${test_subdir_conf} + # rsyslog configuration file ++# test_subdir_conf + + #### RULES #### + +@@ -31,12 +35,22 @@ EOF + + cat << EOF > ${test_conf} + # rsyslog configuration file ++# test_conf + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[1]} + EOF + ++cat << EOF > ${test_bak} ++# rsyslog configuration file ++# test_bak ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[3]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 73ff3332c6d..063b1a0cbe5 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -10,20 +10,24 @@ PERMS_PASS=0600 + PERMS_FAIL=0601 + + # setup test data +-create_rsyslog_test_logs 3 ++create_rsyslog_test_logs 4 + + # setup test log files and permissions + chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} + + # create test configuration file + conf_subdir=${RSYSLOG_TEST_DIR}/subdir + mkdir ${conf_subdir} + test_subdir_conf=${conf_subdir}/test_subdir.conf + test_conf=${RSYSLOG_TEST_DIR}/test.conf ++test_bak=${RSYSLOG_TEST_DIR}/test.bak ++ + cat << EOF > ${test_subdir_conf} + # rsyslog configuration file ++# test_subdir_conf + + #### RULES #### + +@@ -32,12 +36,22 @@ EOF + + cat << EOF > ${test_conf} + # rsyslog configuration file ++# test_conf + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[1]} + EOF + ++cat << EOF > ${test_bak} ++# rsyslog configuration file ++# test_bak ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[3]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + +From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Sat, 21 May 2022 16:02:26 +0800 +Subject: [PATCH 08/15] Match glob() function of rsyslog + +--- + .../rsyslog_files_permissions/bash/shared.sh | 5 ++- + .../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++------- + .../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++------- + 3 files changed, 55 insertions(+), 28 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index cd5014105e9..38105bf086b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS + declare -a RSYSLOG_CONFIG_FILES + for ENTRY in "${RSYSLOG_CONFIGS[@]}" + do +- # If directory, need to include files recursively ++ # If directory, rsyslog will search for config files in recursively. ++ # However, files in hidden sub-directories or hidden files will be ignored. + if [ -d "${ENTRY}" ] + then +- readarray -t FINDOUT < <(find "${ENTRY}" -type f) ++ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 755865ca522..a5a2f67fadc 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh + PERMS=0600 + + # setup test data +-create_rsyslog_test_logs 4 ++create_rsyslog_test_logs 5 + + # setup test log files and permissions + chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} + +-# create test configuration file ++# create test configuration files + conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir + mkdir ${conf_subdir} +-test_subdir_conf=${conf_subdir}/test_subdir.conf +-test_conf=${RSYSLOG_TEST_DIR}/test.conf +-test_bak=${RSYSLOG_TEST_DIR}/test.bak ++mkdir ${conf_hiddir} + +-cat << EOF > ${test_subdir_conf} ++test_conf_in_subdir=${conf_subdir}/in_subdir.conf ++test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak ++ ++test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf ++test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf ++ ++cat << EOF > ${test_conf_in_subdir} + # rsyslog configuration file +-# test_subdir_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++*.* ${RSYSLOG_TEST_LOGS[1]} + EOF + +-cat << EOF > ${test_conf} ++cat << EOF > ${test_conf_name_bak} + # rsyslog configuration file +-# test_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[1]} ++*.* ${RSYSLOG_TEST_LOGS[2]} + EOF + +-cat << EOF > ${test_bak} ++cat << EOF > ${test_conf_in_hiddir} + # rsyslog configuration file +-# test_bak ++# not used + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[3]} + EOF + ++cat << EOF > ${test_conf_dot_name} ++# rsyslog configuration file ++# not used ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[4]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 063b1a0cbe5..a9d0adfb727 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -10,48 +10,61 @@ PERMS_PASS=0600 + PERMS_FAIL=0601 + + # setup test data +-create_rsyslog_test_logs 4 ++create_rsyslog_test_logs 5 + + # setup test log files and permissions + chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} + +-# create test configuration file ++# create test configuration files + conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir + mkdir ${conf_subdir} +-test_subdir_conf=${conf_subdir}/test_subdir.conf +-test_conf=${RSYSLOG_TEST_DIR}/test.conf +-test_bak=${RSYSLOG_TEST_DIR}/test.bak ++mkdir ${conf_hiddir} + +-cat << EOF > ${test_subdir_conf} ++test_conf_in_subdir=${conf_subdir}/in_subdir.conf ++test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak ++ ++test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf ++test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf ++ ++cat << EOF > ${test_conf_in_subdir} + # rsyslog configuration file +-# test_subdir_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++*.* ${RSYSLOG_TEST_LOGS[1]} + EOF + +-cat << EOF > ${test_conf} ++cat << EOF > ${test_conf_name_bak} + # rsyslog configuration file +-# test_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[1]} ++*.* ${RSYSLOG_TEST_LOGS[2]} + EOF + +-cat << EOF > ${test_bak} ++cat << EOF > ${test_conf_in_hiddir} + # rsyslog configuration file +-# test_bak ++# not used + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[3]} + EOF + ++cat << EOF > ${test_conf_dot_name} ++# rsyslog configuration file ++# not used ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[4]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + +From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Sun, 22 May 2022 21:10:16 +0800 +Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code + +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 38105bf086b..e1129e34c81 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -54,7 +54,7 @@ do + then + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") +- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}") ++ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") + # Since above sed command might return more than one item (delimited by newline), split the particular + +From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Tue, 24 May 2022 00:42:17 +0800 +Subject: [PATCH 10/15] Added platform. + +--- + .../tests/include_config_syntax_perms_0601.fail.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index a9d0adfb727..fe4db0a3c91 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + + # Check rsyslog.conf with log file permissions 0600 from rules and + # log file permissions 0601 from $IncludeConfig fails. + +From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 13:56:39 +0200 +Subject: [PATCH 11/15] Reset the arrays before using them + +When bash remediations for a profile are generated, it can happen that a +variable with same name is used for multiple remediations. +So let's reset the array before using it. +--- + .../rsyslog_files_permissions/bash/shared.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index e1129e34c81..d1856ffbe7b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + declare -a LOG_FILE_PATHS + + # Array to hold all rsyslog config entries +-declare -a RSYSLOG_CONFIGS +-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++RSYSLOG_CONFIGS=() ++RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +-# Array to hold all rsyslog config files +-declare -a RSYSLOG_CONFIG_FILES ++# Get full list of files to be checked ++# RSYSLOG_CONFIGS may contain globs such as ++# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule ++# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. ++RSYSLOG_CONFIG_FILES=() + for ENTRY in "${RSYSLOG_CONFIGS[@]}" + do + # If directory, rsyslog will search for config files in recursively. + +From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 14:55:37 +0200 +Subject: [PATCH 12/15] Don't parse hidden config files for Includes + +Let's follow rsyslog behavior and not capture process hidden config +files for includes. +--- + .../rsyslog_files_permissions/oval/shared.xml | 9 ++++ + ...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++ + 2 files changed, 62 insertions(+) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a04e6fd8900..d13177216c3 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -17,8 +17,17 @@ + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 ++ state_permissions_ignore_hidden_paths + + ++ ++ ++ ^.*\/\..*$ ++ ++ + + + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +new file mode 100644 +index 00000000000..9b0185c6b2f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +@@ -0,0 +1,53 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 ++ ++# Check rsyslog.conf with log file permisssions 0600 from rules and ++# log file permissions 0601 from include() fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create hidden test2 configuration file ++test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf ++cat << EOF > ${test_conf2} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${test_conf}") ++ ++\$IncludeConfig ${test_conf2} ++EOF + +From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 15:49:11 +0200 +Subject: [PATCH 13/15] Add test for for missing rsyslog included files + +The rsyslog conf file may include other config files. +If the included missing files are missing rsyslog will generate an +error, but will still continue working. +https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file + +There is not a good way of ensuring that all files defined in a list of paths exist. +--- + ...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++ + 1 file changed, 45 insertions(+) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +new file mode 100644 +index 00000000000..b929f2a94ab +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +@@ -0,0 +1,45 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 ++ ++# Check rsyslog.conf with log file permisssions 0600 from rules and ++# log file permissions 0601 from include() fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# Skip creation test2 configuration file ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${test_conf}") ++ ++\$IncludeConfig ${test_conf2} ++EOF + +From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 21:47:18 +0200 +Subject: [PATCH 14/15] Align Ansible remediation with Bash + +The remediation now expands the glob expressions and doesn't collect +hidden files or directories to check for their permissions. +--- + .../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +index 635b72f7352..c558bf46c71 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +@@ -19,19 +19,26 @@ + shell: | + set -o pipefail + grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true +- register: include_config_output ++ register: rsyslog_old_inc + changed_when: False + + - name: "Get include files directives" + shell: | + set -o pipefail + grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true +- register: include_files_output ++ register: rsyslog_new_inc + changed_when: False + ++- name: "Expand glob expressions" ++ shell: | ++ set -o pipefail ++ eval printf '%s\\n' {{ item }} ++ register: include_config_output ++ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" ++ + - name: "List all config files" +- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")" +- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}" ++ shell: find {{ item }} -not -path "*/.*" -type f ++ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" + register: rsyslog_config_files + changed_when: False + + +From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 21:56:05 +0200 +Subject: [PATCH 15/15] Ignore invalid or non existing include objects + +Let's not fail the task when the find doesn't find the include object. +When the include is a glob expression that doesn't evaluate to any file +the glob itself is used in find command. + +The Bash remediation prints a message for each include that is not a +file is not a directory or doesn't exist. +--- + .../rsyslog_files_permissions/ansible/shared.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +index c558bf46c71..3a9380cf13b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +@@ -40,6 +40,7 @@ + shell: find {{ item }} -not -path "*/.*" -type f + loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" + register: rsyslog_config_files ++ failed_when: False + changed_when: False + + - name: "Extract log files" diff --git a/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch b/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch similarity index 62% rename from scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch rename to scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch index aa184fd..2ac4abd 100644 --- a/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch +++ b/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch @@ -1,19 +1,14 @@ -From f802557b2a84b830a8a8742b535a5602925e438d Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Mon, 8 Aug 2022 15:28:37 +0200 -Subject: [PATCH 09/10] Merge pull request #9298 from vojtapolasek/rhbz2114979 +From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:15 +0200 +Subject: [PATCH 1/4] fix ospp references -Patch-name: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch -Patch-status: Make OSPP profiles use minimal Authselect profile --- linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + - products/rhel8/profiles/ospp.profile | 2 +- - products/rhel9/profiles/ospp.profile | 2 +- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 4 files changed, 4 insertions(+), 3 deletions(-) + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml -index 8d1758e8c9..3edb3642df 100644 +index c151d3c4aa1..f9b46c51ddd 100644 --- a/linux_os/guide/system/accounts/enable_authselect/rule.yml +++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml @@ -34,6 +34,7 @@ references: @@ -24,21 +19,18 @@ index 8d1758e8c9..3edb3642df 100644 srg: SRG-OS-000480-GPOS-00227 ocil: |- -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index 39ad1797c7..ebec8a3a6f 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -220,7 +220,7 @@ selections: - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - securetty_root_login_console_only -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember + +From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:42 +0200 +Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index f27f961a7a..b21ddcee6d 100644 +index b47630c62b0..dcc41970043 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -115,7 +115,7 @@ selections: @@ -50,8 +42,41 @@ index f27f961a7a..b21ddcee6d 100644 - enable_authselect - use_pam_wheel_for_su + +From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:54 +0200 +Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp + +--- + products/rhel8/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index 39ad1797c7a..ebec8a3a6f9 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -220,7 +220,7 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - accounts_max_concurrent_login_sessions + - securetty_root_login_console_only +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + +From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 13:55:05 +0200 +Subject: [PATCH 4/4] update profile stability test + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5d73a8c6fe..21e93e310d 100644 +index 5d73a8c6fef..21e93e310d5 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -242,7 +242,7 @@ selections: @@ -63,6 +88,3 @@ index 5d73a8c6fe..21e93e310d 100644 - var_password_pam_unix_remember=5 - var_selinux_state=enforcing - var_selinux_policy_name=targeted --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch b/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch similarity index 53% rename from scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch rename to scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch index e0da12e..74d6823 100644 --- a/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch +++ b/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch @@ -1,20 +1,17 @@ -From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Wed, 10 Aug 2022 10:53:26 +0200 -Subject: [PATCH 10/10] Merge pull request #9321 from - vojtapolasek/fix_rhel8_iboot +From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 10 Aug 2022 09:59:57 +0200 +Subject: [PATCH] switch rule grub2_disable_interactive_boot for + grub2_disable_recovery in rhel8 ospp -Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch -Patch-status: change rules protecting boot in RHEL8 OSPP --- - .../bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + - products/rhel8/profiles/ospp.profile | 2 +- - shared/references/cce-redhat-avail.txt | 11 ----------- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 4 files changed, 3 insertions(+), 13 deletions(-) + .../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + + products/rhel8/profiles/ospp.profile | 2 +- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -index 4f8d4ddcfd..fb126cbe7d 100644 +index 4f8d4ddcfde..fb126cbe7d8 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml @@ -17,6 +17,7 @@ rationale: |- @@ -26,7 +23,7 @@ index 4f8d4ddcfd..fb126cbe7d 100644 references: diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index ebec8a3a6f..6e3b30f64b 100644 +index ebec8a3a6f9..6e3b30f64bb 100644 --- a/products/rhel8/profiles/ospp.profile +++ b/products/rhel8/profiles/ospp.profile @@ -304,7 +304,7 @@ selections: @@ -38,27 +35,8 @@ index ebec8a3a6f..6e3b30f64b 100644 - grub2_uefi_password - no_empty_passwords -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 9480db3eae..903fc848eb 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1,14 +1,3 @@ --CCE-85985-0 --CCE-85988-4 --CCE-85997-5 --CCE-85998-3 --CCE-85999-1 --CCE-86000-7 --CCE-86001-5 --CCE-86002-3 --CCE-86003-1 --CCE-86005-6 --CCE-86006-4 - CCE-86007-2 - CCE-86008-0 - CCE-86009-8 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 21e93e310d..267b66a4f8 100644 +index 21e93e310d5..267b66a4f89 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -89,7 +89,7 @@ selections: @@ -70,6 +48,3 @@ index 21e93e310d..267b66a4f8 100644 - grub2_kernel_trust_cpu_rng - grub2_page_poison_argument - grub2_pti_argument --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch b/scap-security-guide-0.1.64-stig_aide-PR_9282.patch similarity index 90% rename from scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch rename to scap-security-guide-0.1.64-stig_aide-PR_9282.patch index e937bbc..68471b6 100644 --- a/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch +++ b/scap-security-guide-0.1.64-stig_aide-PR_9282.patch @@ -1,11 +1,9 @@ -From 04459c1b82cc495af2bfcaac301a3805ec0addf6 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Wed, 3 Aug 2022 07:42:59 -0500 -Subject: [PATCH 5/8] Merge pull request #9282 from - yuumasato/rhel_align_aide_check_tools +From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Aug 2022 15:01:42 +0200 +Subject: [PATCH] Add rsyslogd to the list of tools check by aide -Patch-name: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch -Patch-status: Add rsyslogd to the list of tools checked by aide +RHEL products will also check for integrity of /usr/sbin/rsyslogd. --- .../aide/aide_check_audit_tools/ansible/shared.yml | 1 + .../aide/aide_check_audit_tools/bash/shared.sh | 3 +-- @@ -16,7 +14,7 @@ Patch-status: Add rsyslogd to the list of tools checked by aide 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -index 9d1b7b675c..5905ea8d0e 100644 +index 9d1b7b675c9..5905ea8d0e6 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml @@ -22,6 +22,7 @@ @@ -28,7 +26,7 @@ index 9d1b7b675c..5905ea8d0e 100644 - name: Ensure existing AIDE configuration for audit tools are correct lineinfile: diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -index d0a1ba2522..a81e25c395 100644 +index d0a1ba2522f..a81e25c3950 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh @@ -18,12 +18,11 @@ @@ -46,7 +44,7 @@ index d0a1ba2522..a81e25c395 100644 sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}} else diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -index 6ce56c1137..ca9bf4f94d 100644 +index 6ce56c1137a..ca9bf4f94d0 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml @@ -11,7 +11,7 @@ @@ -59,7 +57,7 @@ index 6ce56c1137..ca9bf4f94d 100644 {{% endif %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -index 756b88d8a2..071dde1329 100644 +index 756b88d8a23..071dde13295 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh @@ -7,7 +7,7 @@ aide --init @@ -72,7 +70,7 @@ index 756b88d8a2..071dde1329 100644 for theFile in "${bins[@]}" do diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -index f3a2a126d3..cb9bbfa735 100644 +index f3a2a126d3d..cb9bbfa7350 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh @@ -4,7 +4,7 @@ @@ -85,7 +83,7 @@ index f3a2a126d3..cb9bbfa735 100644 for theFile in "${bins[@]}" do diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -index 4315cef207..a22aecb000 100644 +index 4315cef2073..a22aecb0000 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh @@ -6,7 +6,7 @@ yum -y install aide @@ -97,6 +95,3 @@ index 4315cef207..a22aecb000 100644 for theFile in "${bins[@]}" do --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch b/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch similarity index 99% rename from scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch rename to scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch index 9abae1d..7c0a252 100644 --- a/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch +++ b/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch @@ -1,3278 +1,34 @@ -From 80088c6b60990dee44d45e59f0cfde7567b4702e Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Mon, 1 Aug 2022 11:12:56 -0500 -Subject: [PATCH 2/8] Merge pull request #9276 from - yuumasato/update-rhel8-stig-to-v1r7 +From 0addbba742ef5470e911d391eb738e9da79ce7b7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:43:21 +0200 +Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R7 -Patch-name: scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch -Patch-status: Update RHEL8 STIG to V1R7 --- - products/rhel8/profiles/stig.profile | 4 +- - products/rhel8/profiles/stig_gui.profile | 4 +- - ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- - ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++---- - .../data/profile_stability/rhel8/stig.profile | 4 +- - .../profile_stability/rhel8/stig_gui.profile | 4 +- - 6 files changed, 780 insertions(+), 618 deletions(-) - rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) + ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++++++++-------- + 1 file changed, 233 insertions(+), 204 deletions(-) rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%) -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 7adbfee555..4b480bd2c1 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -1,7 +1,7 @@ - documentation_complete: true +diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +similarity index 96% +rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +index 849ab06f66d..a02819d3002 100644 +--- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' + Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. - description: |- - This profile contains configuration checks that align to the -- DISA STIG for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7. +@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile -index 665bc1e059..fa8bc724a5 100644 ---- a/products/rhel8/profiles/stig_gui.profile -+++ b/products/rhel8/profiles/stig_gui.profile -@@ -1,7 +1,7 @@ - documentation_complete: true + localpkg_gpgcheck =True - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' +-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - description: |- - This profile contains configuration checks that align to the -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -index 1bd2fb7b65..e87b16eb37 100644 ---- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -@@ -1,36 +1,36 @@ - -- -- -+ -+ - -- -+ - -- -+ - - - - -- -+ - -- -+ - - - - -- -- -+ -+ - - -- -+ - - - Red Hat Enterprise Linux 8 -- oval:mil.disa.stig.rhel8:def:1 -+ oval:mil.disa.stig.rhel8:def:1 - - - -- -+ - -- accepted -+ accepted - Red Hat Enterprise Linux 8 Security Technical Implementation Guide - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. - -@@ -40,11 +40,11 @@ - DISA - STIG.DOD.MIL - -- Release: 1.5 Benchmark Date: 27 Apr 2022 -+ Release: 1.6 Benchmark Date: 27 Jul 2022 - 3.3.0.27375 - 1.10.0 - -- 001.005 -+ 001.006 - - DISA - DISA -@@ -2189,15 +2189,15 @@ - - - -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ - - -- -+ - - - -@@ -2217,7 +2217,7 @@ - - - -- -+ - - - -@@ -2237,26 +2237,26 @@ - - - -- -+ - - -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ - - - - - -- -+ - - -- -- -+ -+ - - - -@@ -2337,7 +2337,7 @@ - - - -- -+ - - - -@@ -2355,21 +2355,21 @@ - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -2379,9 +2379,9 @@ - - - -- -- -- -+ -+ -+ - - - SRG-OS-000480-GPOS-00227 -@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L - Upgrade to a supported version of RHEL 8. - - -- -+ - - - -@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable - Reboot the system for the changes to take effect. - - -- -+ - - - -@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M - ENCRYPT_METHOD SHA512 - - -- -+ - - - -@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth - Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - - -- -+ - - - -@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ - SHA_CRYPT_MIN_ROUNDS 5000 - - -- -+ - - - -@@ -2549,7 +2549,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2577,7 +2577,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2601,7 +2601,7 @@ Confirm password: - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - - -- -+ - - - -@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include - password sufficient pam_unix.so sha512 - - -- -+ - - - -@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - Remove any files with the .keytab extension from the operating system. - - -- -+ - - - -@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-workstation - - -- -+ - - - -@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o - $ sudo yum install policycoreutils - - -- -+ - - - -@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0640 /var/log/messages - - -- -+ - - - -@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log/messages - - -- -+ - - - -@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log/messages - - -- -+ - - - -@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0755 /var/log - - -- -+ - - - -@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log - - -- -+ - - - -@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log - - -- -+ - - - -@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod - $ sudo chmod 755 [FILE] - - -- -+ - - - -@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o - $ sudo chown root [FILE] - - -- -+ - - - -@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g - $ sudo chgrp root [FILE] - - -- -+ - - - -@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i - gpgcheck=1 - - -- -+ - - - -@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: - localpkg_gpgcheck=True - - -- -+ - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010380 - RHEL 8 must require users to provide a password for privilege escalation. - <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. -@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - 2921 - - CCI-002038 -- Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. -- -+ Configure the operating system to require users to supply a password for privilege escalation. -+ -+Check the configuration of the "/etc/sudoers" file with the following command: -+$ sudo visudo -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ -+Check the configuration of the /etc/sudoers.d/* files with the following command: -+$ sudo grep -ir nopasswd /etc/sudoers.d -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ - -- -+ - - - -@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - - -- -+ - - - -@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi - $ sudo yum install openssl-pkcs11 - - -- -+ - - - - - SRG-OS-000433-GPOS-00193 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. -@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: - $ sudo sysctl --system - - -- -+ - - - -@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con - clean_requirements_on_remove=True - - -- -+ - - - -@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. - $ sudo rm /etc/ssh/shosts.equiv - - -- -+ - - - -@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv - $ sudo rm /[path]/[to]/[file]/.shosts - - -- -+ - - - -@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3673,7 +3683,7 @@ Compression no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var" path onto a separate file system. - - -- -+ - - - -@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var/log" path onto a separate file system. - - -- -+ - - - -@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service - Migrate the system audit data path onto a separate file system. - - -- -+ - - - -@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/tmp" directory onto a separate file system/partition. - - -- -+ - - - -@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service - $ sudo systemctl enable rsyslog.service - - -- -+ - - - -@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - - -- -+ - - - -@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - - -- -+ - - - -@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard core 0 - - -- -+ - - - -@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - Storage=none - - -- -+ - - - -@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - ProcessSizeMax=0 - - -- -+ - - - -@@ -4135,7 +4145,7 @@ ProcessSizeMax=0 - CREATE_HOME yes - - -- -+ - - - -@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - deny = 3 - - -- -+ - - - -@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - fail_interval = 900 - - -- -+ - - - -@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - unlock_time = 0 - - -- -+ - - - -@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - silent - - -- -+ - - - -@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - audit - - -- -+ - - - -@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - even_deny_root - - -- -+ - - - -@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard maxlogins 10 - - -- -+ - - - -@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: - set -g lock-command vlock - - -- -+ - - - - - SRG-OS-000028-GPOS-00009 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - --Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - - Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - -@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - 2921 - - CCI-000056 -- Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -+ Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: - --If [ "$PS1" ]; then -+if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi - - This setting will take effect at next logon. -- -+ - -- -+ - - - -@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - - -- -+ - - - -@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin - password required pam_pwquality.so - - -- -+ - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020110 - RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ucredit = -1 - - -- -+ - - - - - SRG-OS-000070-GPOS-00038 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020120 - RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - lcredit = -1 - - -- -+ - - - - - SRG-OS-000071-GPOS-00039 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020130 - RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - dcredit = -1 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020140 - RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin - maxclassrepeat = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020150 - RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - maxrepeat = 3 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020160 - RHEL 8 must require the change of at least four character classes when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - minclass = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020170 - RHEL 8 must require the change of at least 8 characters when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - difok = 8 - - -- -+ - - - -@@ -4977,7 +4987,7 @@ difok = 8 - $ sudo chage -m 1 [user] - - -- -+ - - - -@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ - PASS_MIN_DAYS 1 - - -- -+ - - - -@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MAX_DAYS 60 - - -- -+ - - - -@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 - $ sudo chage -M 60 [user] - - -- -+ - - - -@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have - password required pam_pwhistory.so use_authtok remember=5 retry=3 - - -- -+ - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020230 - RHEL 8 passwords must have a minimum of 15 characters. - <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - minlen = 15 - - -- -+ - - - -@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MIN_LEN 15 - - -- -+ - - - -@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 - DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - - -- -+ - - - - - SRG-OS-000266-GPOS-00101 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020280 - All RHEL 8 passwords must contain at least one special character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ocredit = -1 - - -- -+ - - - - - SRG-OS-000480-GPOS-00225 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. - <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> -@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a - dictcheck=1 - - -- -+ - - - -@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr - FAIL_DELAY 4 - - -- -+ - - - -@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -5319,7 +5329,7 @@ PrintLastLog yes - The SSH service must be restarted for changes to "sshd_config" to take effect. - - -- -+ - - - -@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 - UMASK 077 - - -- -+ - - - -@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator - action_mail_acct = root - - -- -+ - - - -@@ -5441,7 +5451,7 @@ disk_error_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - - -- -+ - - - -@@ -5475,7 +5485,7 @@ disk_full_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - - -- -+ - - - -@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: - local_events = yes - - -- -+ - - - -@@ -5535,7 +5545,7 @@ name_format = hostname - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5565,7 +5575,7 @@ log_format = ENRICHED - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] - Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - - -- -+ - - - -@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] - Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - - -- -+ - - - -@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - - -- -+ - - - -@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - --loginuid-immutable - - -- -+ - - - -@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t - $ sudo yum install audit - - -- -+ - - - -@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules - $ sudo chmod 0640 /etc/audit/auditd.conf - - -- -+ - - - -@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] - Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - - -- -+ - - - -@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] - Replace "[audit_tool]" with each audit tool not owned by "root". - - -- -+ - - - -@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] - Replace "[audit_tool]" with each audit tool not group-owned by "root". - - -- -+ - - - -@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog - - -- -+ - - - -@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog-gnutls - - -- -+ - - - -@@ -7471,7 +7481,7 @@ overflow_action = syslog - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -7497,7 +7507,7 @@ space_left = 25% - Note: Option names and values in the auditd.conf file are case insensitive. - - -- -+ - - - -@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - port 0 - - -- -+ - - - -@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - cmdport 0 - - -- -+ - - - -@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass - $ sudo yum remove telnet-server - - -- -+ - - - -@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove abrt* - - -- -+ - - - -@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove sendmail - - -- -+ - - - -@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion - $ sudo yum remove rsh-server - - -- -+ - - - -@@ -7716,7 +7726,7 @@ blacklist atm - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7749,7 +7759,7 @@ blacklist can - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7782,7 +7792,7 @@ blacklist sctp - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7815,7 +7825,7 @@ blacklist tipc - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7848,7 +7858,7 @@ blacklist cramfs - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7879,7 +7889,7 @@ blacklist firewire-core - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7910,14 +7920,14 @@ blacklist usb-storage - Reboot the system for the settings to take effect. - - -- -+ - - - - - SRG-OS-000300-GPOS-00118 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. -@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per - 2921 - - CCI-001443 -- Configure the operating system to disable the Bluetooth adapter when not in use. -+ Configure the operating system to disable the Bluetooth adapter when not in use. - - Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: - - install bluetooth /bin/true - -+Disable the ability to use the Bluetooth kernel module. -+ -+$ sudo vi /etc/modprobe.d/blacklist.conf -+ -+Add or update the line: -+ -+blacklist bluetooth -+ - Reboot the system for the settings to take effect. -- -+ - -- -+ - - - -@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO - $ sudo systemctl enable sshd.service - - -- -+ - - - -@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. - $ sudo systemctl daemon-reload - - -- -+ - - - -@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload - $ sudo yum remove tftp-server - - -- -+ - - - -@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server - If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040210 - RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. -@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040240 - RHEL 8 must not forward IPv6 source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040250 - RHEL 8 must not forward IPv6 source-routed packets by default. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040260 - RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040284 - RHEL 8 must disable the use of user namespaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9125,7 +9143,7 @@ $ sudo sysctl --system - $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - - -- -+ - - - -@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: - $ sudo systemctl restart sshd - - -- -+ - - - -@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us - X11UseLocalhost yes - - -- -+ - - - -@@ -9207,7 +9225,7 @@ X11UseLocalhost yes - server_args = -s /var/lib/tftpboot - - -- -+ - - - -@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot - $ sudo yum remove vsftpd - - -- -+ - - - -@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose - $ sudo yum remove gssproxy - - -- -+ - - - -@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI - $ sudo yum remove iprutils - - -- -+ - - - -@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. - $ sudo yum remove tuned - - -- -+ - - - -@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-server - - -- -+ - - - -@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL - ALL ALL=(ALL:ALL) ALL - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -@@ -9395,14 +9413,14 @@ Defaults !rootpw - Defaults !runaspw - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] - Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p - Note: Manual changes to the listed file may be overwritten by the "authselect" program. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9540,18 +9558,18 @@ Lock an account: - $ sudo passwd -l [username] - - -- -+ - - - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - -@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - - -- -+ - -- RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. -+ RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. - - Red Hat Enterprise Linux 8 - - If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - -- -+ - -- - - - -@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe - - - -- -+ - - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - -@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per - - - -+ - - - -@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - - - -- -+ - - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - -@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - For more information on each of the listed configurations, reference the sudoers(5) manual page. - - -- -+ - - - -- -+ - - - -- -+ - - - - - -- -+ - - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - -@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit - - If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -- -- -- -+ -+ - - - -@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - -- -- -+ -+ - - - - - - -- -- -+ -+ - - - -- -- -+ -+ - - - -@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -- -- -- -- -+ -+ - - - -@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil - - - -+ -+ -+ - - - -@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -+ - -- -+ - - -+ - - - - - -- -+ - - - -- -+ - - -+ - -- -+ - - -+ - - - -@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -- -- -- -- -- -+ -+ - - - -@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil - oval:mil.disa.stig.rhel8:obj:13602 - - -- -+ -+ - /etc/sudoers - ^(?!#).*\s+NOPASSWD.*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ - ^(?!#).*\s+NOPASSWD.*$ -@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19700 -+ oval:mil.disa.stig.rhel8:obj:19701 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19800 -+ oval:mil.disa.stig.rhel8:obj:19801 -+ -+ - - /etc/security/pwquality.conf - ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20000 -+ oval:mil.disa.stig.rhel8:obj:20001 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20100 -+ oval:mil.disa.stig.rhel8:obj:20101 -+ -+ - - /etc/security/pwquality.conf - ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20300 -+ oval:mil.disa.stig.rhel8:obj:20301 -+ -+ - - /etc/shadow - ^root:[^:]*:[^:]*:0*: -@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* - ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ /etc/security -+ ^pwquality\.conf -+ ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20900 -+ oval:mil.disa.stig.rhel8:obj:20901 -+ -+ - - /etc/login.defs - ^\s*PASS_MIN_LEN\s+(\d+)\s*$ -@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/pwquality.conf.d/ -- ^.*\.conf$ -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:21400 -+ oval:mil.disa.stig.rhel8:obj:21401 -+ -+ - - /etc/login.defs - ^\s*FAIL_DELAY\s+(\d+)\s*$ -@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil - ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ - 1 - -+ -+ /etc/modprobe.d -+ .* -+ ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ -+ 1 -+ - - /dev/shm - -@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*Defaults\s+\!runaspw\s*$ - 1 - -- -+ -+ - /etc/sudoers -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:41600 -+ oval:mil.disa.stig.rhel8:obj:41601 -+ -+ - - /etc/pam.d/system-auth - \bnullok\b -@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil - - 1 - -+ -+ 2 -+ -+ -+ 2 -+ - - 0 - - - 0 - -+ -+ 2 -+ -+ -+ 2 -+ - - ^(no|"no")$ - -@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - -diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -index 849ab06f66..a02819d300 100644 ---- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -@@ -1,4 +1,4 @@ --acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. - -@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf - - localpkg_gpgcheck =True - --If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - - Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. + Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. @@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1 @@ -4395,41 +1151,3301 @@ index 849ab06f66..a02819d300 100644 If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality - - password required pam_pwquality.so retry=3 - --If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. -+If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: - /etc/pam.d/password-auth -@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi - - Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): - --retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. -+retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. - - Verify the operating system is configured to limit the "pwquality" retry option to 3. +@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + + password required pam_pwquality.so retry=3 + +-If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. ++If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: + /etc/pam.d/password-auth +@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi + + Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): + +-retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. ++retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. + + Verify the operating system is configured to limit the "pwquality" retry option to 3. + + Check for the use of the "pwquality" retry option with the following command: + +-$ sudo grep retry /etc/security/pwquality.conf ++$ sudo grep -r retry /etc/security/pwquality.conf* + +-retry = 3 ++/etc/security/pwquality.conf:retry = 3 + + If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. + ++If conflicting results are returned, this is a finding. ++ + Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: + + $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth + +From feea7690b848d68c150712c841c74703b70e1a02 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:46:19 +0200 +Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R6 + +The V1R6 SCAP content is aligned with the V1R7 manual benchmark. +--- + ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- + 1 file changed, 539 insertions(+), 406 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) + +diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +similarity index 96% +rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +index 1bd2fb7b659..e87b16eb377 100644 +--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml ++++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +@@ -1,36 +1,36 @@ + +- +- ++ ++ + +- ++ + +- ++ + + + + +- ++ + +- ++ + + + + +- +- ++ ++ + + +- ++ + + + Red Hat Enterprise Linux 8 +- oval:mil.disa.stig.rhel8:def:1 ++ oval:mil.disa.stig.rhel8:def:1 + + + +- ++ + +- accepted ++ accepted + Red Hat Enterprise Linux 8 Security Technical Implementation Guide + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + +@@ -40,11 +40,11 @@ + DISA + STIG.DOD.MIL + +- Release: 1.5 Benchmark Date: 27 Apr 2022 ++ Release: 1.6 Benchmark Date: 27 Jul 2022 + 3.3.0.27375 + 1.10.0 + +- 001.005 ++ 001.006 + + DISA + DISA +@@ -2189,15 +2189,15 @@ + + + +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ + + +- ++ + + + +@@ -2217,7 +2217,7 @@ + + + +- ++ + + + +@@ -2237,26 +2237,26 @@ + + + +- ++ + + +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ + + + + + +- ++ + + +- +- ++ ++ + + + +@@ -2337,7 +2337,7 @@ + + + +- ++ + + + +@@ -2355,21 +2355,21 @@ + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -2379,9 +2379,9 @@ + + + +- +- +- ++ ++ ++ + + + SRG-OS-000480-GPOS-00227 +@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L + Upgrade to a supported version of RHEL 8. + + +- ++ + + + +@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable + Reboot the system for the changes to take effect. + + +- ++ + + + +@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M + ENCRYPT_METHOD SHA512 + + +- ++ + + + +@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth + Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. + + +- ++ + + + +@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ + SHA_CRYPT_MIN_ROUNDS 5000 + + +- ++ + + + +@@ -2549,7 +2549,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2577,7 +2577,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2601,7 +2601,7 @@ Confirm password: + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + + +- ++ + + + +@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include + password sufficient pam_unix.so sha512 + + +- ++ + + + +@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + Remove any files with the .keytab extension from the operating system. + + +- ++ + + + +@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-workstation + + +- ++ + + + +@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o + $ sudo yum install policycoreutils + + +- ++ + + + +@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0640 /var/log/messages + + +- ++ + + + +@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log/messages + + +- ++ + + + +@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log/messages + + +- ++ + + + +@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0755 /var/log + + +- ++ + + + +@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log + + +- ++ + + + +@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log + + +- ++ + + + +@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod + $ sudo chmod 755 [FILE] + + +- ++ + + + +@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o + $ sudo chown root [FILE] + + +- ++ + + + +@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g + $ sudo chgrp root [FILE] + + +- ++ + + + +@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i + gpgcheck=1 + + +- ++ + + + +@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: + localpkg_gpgcheck=True + + +- ++ + + + + + SRG-OS-000366-GPOS-00153 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010372 + RHEL 8 must prevent the loading of a new kernel for later execution. + <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010373 + RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010374 + RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010375 + RHEL 8 must restrict access to the kernel message buffer. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010376 + RHEL 8 must prevent kernel profiling by unprivileged users. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000373-GPOS-00156 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010380 + RHEL 8 must require users to provide a password for privilege escalation. + <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + 2921 + + CCI-002038 +- Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. +- ++ Configure the operating system to require users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" file with the following command: ++$ sudo visudo ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ ++Check the configuration of the /etc/sudoers.d/* files with the following command: ++$ sudo grep -ir nopasswd /etc/sudoers.d ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ + +- ++ + + + +@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + + +- ++ + + + +@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi + $ sudo yum install openssl-pkcs11 + + +- ++ + + + + + SRG-OS-000433-GPOS-00193 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010430 + RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. + <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. +@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: + $ sudo sysctl --system + + +- ++ + + + +@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con + clean_requirements_on_remove=True + + +- ++ + + + +@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. + $ sudo rm /etc/ssh/shosts.equiv + + +- ++ + + + +@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv + $ sudo rm /[path]/[to]/[file]/.shosts + + +- ++ + + + +@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3673,7 +3683,7 @@ Compression no + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var" path onto a separate file system. + + +- ++ + + + +@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var/log" path onto a separate file system. + + +- ++ + + + +@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service + Migrate the system audit data path onto a separate file system. + + +- ++ + + + +@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/tmp" directory onto a separate file system/partition. + + +- ++ + + + +@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service + $ sudo systemctl enable rsyslog.service + + +- ++ + + + +@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. + + +- ++ + + + +@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. + + +- ++ + + + +@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010671 + RHEL 8 must disable the kernel.core_pattern. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard core 0 + + +- ++ + + + +@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + Storage=none + + +- ++ + + + +@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + ProcessSizeMax=0 + + +- ++ + + + +@@ -4135,7 +4145,7 @@ ProcessSizeMax=0 + CREATE_HOME yes + + +- ++ + + + +@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + deny = 3 + + +- ++ + + + +@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + fail_interval = 900 + + +- ++ + + + +@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + unlock_time = 0 + + +- ++ + + + +@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + silent + + +- ++ + + + +@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + audit + + +- ++ + + + +@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + even_deny_root + + +- ++ + + + +@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard maxlogins 10 + + +- ++ + + + +@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: + set -g lock-command vlock + + +- ++ + + + + + SRG-OS-000028-GPOS-00009 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020041 + RHEL 8 must ensure session control is automatically started at shell initialization. + <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + +-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. ++Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + + Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + +@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion + 2921 + + CCI-000056 +- Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: ++ Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: + +-If [ "$PS1" ]; then ++if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) exec tmux ;; esac + fi + + This setting will take effect at next logon. +- ++ + +- ++ + + + +@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion + Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. + + +- ++ + + + +@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin + password required pam_pwquality.so + + +- ++ + + + + + SRG-OS-000069-GPOS-00037 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020110 + RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ucredit = -1 + + +- ++ + + + + + SRG-OS-000070-GPOS-00038 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020120 + RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + lcredit = -1 + + +- ++ + + + + + SRG-OS-000071-GPOS-00039 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020130 + RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + dcredit = -1 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020140 + RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin + maxclassrepeat = 4 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020150 + RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + maxrepeat = 3 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020160 + RHEL 8 must require the change of at least four character classes when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + minclass = 4 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020170 + RHEL 8 must require the change of at least 8 characters when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + difok = 8 + + +- ++ + + + +@@ -4977,7 +4987,7 @@ difok = 8 + $ sudo chage -m 1 [user] + + +- ++ + + + +@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ + PASS_MIN_DAYS 1 + + +- ++ + + + +@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MAX_DAYS 60 + + +- ++ + + + +@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 + $ sudo chage -M 60 [user] + + +- ++ + + + +@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have + password required pam_pwhistory.so use_authtok remember=5 retry=3 + + +- ++ + + + + + SRG-OS-000078-GPOS-00046 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020230 + RHEL 8 passwords must have a minimum of 15 characters. + <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + minlen = 15 + + +- ++ + + + +@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MIN_LEN 15 + + +- ++ + + + +@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 + DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. + + +- ++ + + + + + SRG-OS-000266-GPOS-00101 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020280 + All RHEL 8 passwords must contain at least one special character. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ocredit = -1 + + +- ++ + + + + + SRG-OS-000480-GPOS-00225 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020300 + RHEL 8 must prevent the use of dictionary words for passwords. + <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a + dictcheck=1 + + +- ++ + + + +@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr + FAIL_DELAY 4 + + +- ++ + + + +@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -5319,7 +5329,7 @@ PrintLastLog yes + The SSH service must be restarted for changes to "sshd_config" to take effect. + + +- ++ + + + +@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 + UMASK 077 + + +- ++ + + + +@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator + action_mail_acct = root + + +- ++ + + + +@@ -5441,7 +5451,7 @@ disk_error_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". + + +- ++ + + + +@@ -5475,7 +5485,7 @@ disk_full_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". + + +- ++ + + + +@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: + local_events = yes + + +- ++ + + + +@@ -5535,7 +5545,7 @@ name_format = hostname + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5565,7 +5575,7 @@ log_format = ENRICHED + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] + Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". + + +- ++ + + + +@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] + Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". + + +- ++ + + + +@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. + + +- ++ + + + +@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + --loginuid-immutable + + +- ++ + + + +@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t + $ sudo yum install audit + + +- ++ + + + +@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules + $ sudo chmod 0640 /etc/audit/auditd.conf + + +- ++ + + + +@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] + Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. + + +- ++ + + + +@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] + Replace "[audit_tool]" with each audit tool not owned by "root". + + +- ++ + + + +@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] + Replace "[audit_tool]" with each audit tool not group-owned by "root". + + +- ++ + + + +@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog + + +- ++ + + + +@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog-gnutls + + +- ++ + + + +@@ -7471,7 +7481,7 @@ overflow_action = syslog + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -7497,7 +7507,7 @@ space_left = 25% + Note: Option names and values in the auditd.conf file are case insensitive. + + +- ++ + + + +@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + port 0 + + +- ++ + + + +@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + cmdport 0 + + +- ++ + + + +@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass + $ sudo yum remove telnet-server + + +- ++ + + + +@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove abrt* + + +- ++ + + + +@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove sendmail + + +- ++ + + + +@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion + $ sudo yum remove rsh-server + + +- ++ + + + +@@ -7716,7 +7726,7 @@ blacklist atm + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7749,7 +7759,7 @@ blacklist can + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7782,7 +7792,7 @@ blacklist sctp + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7815,7 +7825,7 @@ blacklist tipc + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7848,7 +7858,7 @@ blacklist cramfs + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7879,7 +7889,7 @@ blacklist firewire-core + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7910,14 +7920,14 @@ blacklist usb-storage + Reboot the system for the settings to take effect. + + +- ++ + + + + + SRG-OS-000300-GPOS-00118 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040111 + RHEL 8 Bluetooth must be disabled. + <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. +@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per + 2921 + + CCI-001443 +- Configure the operating system to disable the Bluetooth adapter when not in use. ++ Configure the operating system to disable the Bluetooth adapter when not in use. + + Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: + + install bluetooth /bin/true + ++Disable the ability to use the Bluetooth kernel module. ++ ++$ sudo vi /etc/modprobe.d/blacklist.conf ++ ++Add or update the line: ++ ++blacklist bluetooth ++ + Reboot the system for the settings to take effect. +- ++ + +- ++ + + + +@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO + $ sudo systemctl enable sshd.service + + +- ++ + + + +@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. + $ sudo systemctl daemon-reload + + +- ++ + + + +@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload + $ sudo yum remove tftp-server + + +- ++ + + + +@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server + If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040210 + RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040220 + RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040230 + RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. + <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. +@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040240 + RHEL 8 must not forward IPv6 source-routed packets. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040250 + RHEL 8 must not forward IPv6 source-routed packets by default. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040260 + RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040261 + RHEL 8 must not accept router advertisements on all IPv6 interfaces. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040262 + RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040270 + RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040280 + RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040281 + RHEL 8 must disable access to network bpf syscall from unprivileged processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040282 + RHEL 8 must restrict usage of ptrace to descendant processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040283 + RHEL 8 must restrict exposed kernel pointer addresses access. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040284 + RHEL 8 must disable the use of user namespaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040285 + RHEL 8 must use reverse path filtering on all IPv4 interfaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -9125,7 +9143,7 @@ $ sudo sysctl --system + $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' + + +- ++ + + + +@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: + $ sudo systemctl restart sshd + + +- ++ + + + +@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us + X11UseLocalhost yes + + +- ++ + + + +@@ -9207,7 +9225,7 @@ X11UseLocalhost yes + server_args = -s /var/lib/tftpboot + + +- ++ + + + +@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot + $ sudo yum remove vsftpd + + +- ++ + + + +@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose + $ sudo yum remove gssproxy + + +- ++ + + + +@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI + $ sudo yum remove iprutils + + +- ++ + + + +@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. + $ sudo yum remove tuned + + +- ++ + + + +@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-server + + +- ++ + + + +@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL + ALL ALL=(ALL:ALL) ALL + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010383 + RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". + <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +@@ -9395,14 +9413,14 @@ Defaults !rootpw + Defaults !runaspw + + +- ++ + + + + + SRG-OS-000373-GPOS-00156 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010384 + RHEL 8 must require re-authentication when using the "sudo" command. + <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] + Note: The "[value]" must be a number that is greater than or equal to "0". + + +- ++ + + + +@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". + + +- ++ + + + +@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p + Note: Manual changes to the listed file may be overwritten by the "authselect" program. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040286 + RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -9540,18 +9558,18 @@ Lock an account: + $ sudo passwd -l [username] + + +- ++ + + + + + +- ++ + + + repotool + 5.10 +- 2022-03-28T12:45:12 ++ 2022-06-28T15:27:20 + + + +@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note + + + +- ++ + +- RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. ++ RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. + + Red Hat Enterprise Linux 8 + + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +- ++ + +- + + + +@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe + + + +- ++ + + RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. + +@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per + + + ++ + + + +@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + + + +- ++ + + RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". + +@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + For more information on each of the listed configurations, reference the sudoers(5) manual page. + + +- ++ + + + +- ++ + + + +- ++ + + + + + +- ++ + + RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. + +@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit + + If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +- +- +- ++ ++ + + + +@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + +@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +- +- ++ ++ + + + +@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + + +@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + + +@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- +- +- +- +- ++ ++ + + + +@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil + + + ++ ++ ++ + + + +@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + ++ + +- ++ + + ++ + + + + + +- ++ + + + +- ++ + + ++ + +- ++ + + ++ + + + +@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- +- +- +- +- +- ++ ++ + + + +@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + +@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil + oval:mil.disa.stig.rhel8:obj:13602 + + +- ++ ++ + /etc/sudoers + ^(?!#).*\s+NOPASSWD.*$ + 1 + +- ++ ++ + /etc/sudoers.d + ^.*$ + ^(?!#).*\s+NOPASSWD.*$ +@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:19700 ++ oval:mil.disa.stig.rhel8:obj:19701 ++ ++ ++ ++ /etc/security ++ ^pwquality\.conf.*$ + ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* ++ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:19800 ++ oval:mil.disa.stig.rhel8:obj:19801 ++ ++ + + /etc/security/pwquality.conf + ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20000 ++ oval:mil.disa.stig.rhel8:obj:20001 ++ ++ ++ ++ /etc/security ++ ^pwquality\.conf.*$ + ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* ++ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20100 ++ oval:mil.disa.stig.rhel8:obj:20101 ++ ++ + + /etc/security/pwquality.conf + ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20300 ++ oval:mil.disa.stig.rhel8:obj:20301 ++ ++ + + /etc/shadow + ^root:[^:]*:[^:]*:0*: +@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* + ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ /etc/security ++ ^pwquality\.conf ++ ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20900 ++ oval:mil.disa.stig.rhel8:obj:20901 ++ ++ + + /etc/login.defs + ^\s*PASS_MIN_LEN\s+(\d+)\s*$ +@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/pwquality.conf.d/ +- ^.*\.conf$ ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ + ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:21400 ++ oval:mil.disa.stig.rhel8:obj:21401 ++ ++ + + /etc/login.defs + ^\s*FAIL_DELAY\s+(\d+)\s*$ +@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil + ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ + 1 + ++ ++ /etc/modprobe.d ++ .* ++ ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ ++ 1 ++ + + /dev/shm + +@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*Defaults\s+\!runaspw\s*$ + 1 + +- ++ ++ + /etc/sudoers +- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ + 1 + +- ++ ++ + /etc/sudoers.d + ^.*$ +- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:41600 ++ oval:mil.disa.stig.rhel8:obj:41601 ++ ++ + + /etc/pam.d/system-auth + \bnullok\b +@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil + + 1 + ++ ++ 2 ++ ++ ++ 2 ++ + + 0 + + + 0 + ++ ++ 2 ++ ++ ++ 2 ++ + + ^(no|"no")$ + +@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + repotool + 5.10 +- 2022-03-28T12:45:12 ++ 2022-06-28T15:27:20 + + + + +From b2b2dbba78bb1e182ddfe9e90bd8a8ae5cf33187 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:49:09 +0200 +Subject: [PATCH 3/3] Update RHEL8 STIG to V1R7 + +--- + products/rhel8/profiles/stig.profile | 4 ++-- + products/rhel8/profiles/stig_gui.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7adbfee5559..4b480bd2c11 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true - Check for the use of the "pwquality" retry option with the following command: + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' --$ sudo grep retry /etc/security/pwquality.conf -+$ sudo grep -r retry /etc/security/pwquality.conf* + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R7. --retry = 3 -+/etc/security/pwquality.conf:retry = 3 + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile +index 665bc1e059d..fa8bc724a5d 100644 +--- a/products/rhel8/profiles/stig_gui.profile ++++ b/products/rhel8/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true - If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' -+If conflicting results are returned, this is a finding. -+ - Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 2a16a82889..4bee72830d 100644 +index 2a16a82889a..4bee72830d0 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,7 +1,7 @@ @@ -4451,7 +4467,7 @@ index 2a16a82889..4bee72830d 100644 - mab879 - ggbecker diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index e79776f8e9..ece32d06a6 100644 +index e79776f8e90..ece32d06a6f 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,7 +1,7 @@ @@ -4472,6 +4488,3 @@ index e79776f8e9..ece32d06a6 100644 SMEs: - mab879 - ggbecker --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch b/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch similarity index 83% rename from scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch rename to scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch index 56eb3de..ce526cb 100644 --- a/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch +++ b/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch @@ -1,26 +1,21 @@ -From 26ca545c89207d2ac2ba2fb68824c1c323fece79 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Wed, 3 Aug 2022 07:44:35 -0500 -Subject: [PATCH 4/8] Merge pull request #9277 from - yuumasato/new_sysctl_ipv4_forwarding_rule +From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 17:50:37 +0200 +Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding -Patch-name: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch -Patch-status: New sysctl ipv4 forwarding rule +This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and +sysctl_net_ipv4_forward. --- .../rule.yml | 44 +++++++++++++++++++ ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++ - .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - - products/rhel8/profiles/stig.profile | 2 +- shared/references/cce-redhat-avail.txt | 1 - - .../data/profile_stability/rhel8/stig.profile | 4 +- - .../profile_stability/rhel8/stig_gui.profile | 2 +- - 7 files changed, 65 insertions(+), 6 deletions(-) + 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml new file mode 100644 -index 0000000000..7b0066f7c2 +index 00000000000..7b0066f7c29 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml @@ -0,0 +1,44 @@ @@ -70,7 +65,7 @@ index 0000000000..7b0066f7c2 + diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var new file mode 100644 -index 0000000000..2aedd6e643 +index 00000000000..2aedd6e6432 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var @@ -0,0 +1,17 @@ @@ -91,8 +86,35 @@ index 0000000000..2aedd6e643 + disabled: "0" + enabled: 1 + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..3e14b73dd71 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -168,7 +168,6 @@ CCE-86216-9 + CCE-86217-7 + CCE-86218-5 + CCE-86219-3 +-CCE-86220-1 + CCE-86221-9 + CCE-86222-7 + CCE-86223-5 + +From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 17:53:32 +0200 +Subject: [PATCH 2/2] Better align with RHEL-08-040259 + +The item is about net.ipv4.conf.all.forwarding +The update to V1R7 made brought this misalignment to light. +--- + .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - + products/rhel8/profiles/stig.profile | 2 +- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig_gui.profile | 2 +- + 4 files changed, 4 insertions(+), 5 deletions(-) + diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 5c449db7f3..7acfc0b05b 100644 +index 5c449db7f3a..7acfc0b05b6 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -45,7 +45,6 @@ references: @@ -104,7 +126,7 @@ index 5c449db7f3..7acfc0b05b 100644 stigid@sle15: SLES-15-040380 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 4b480bd2c1..6b44436a2b 100644 +index 4b480bd2c11..6b44436a2b1 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1127,7 +1127,7 @@ selections: @@ -116,20 +138,8 @@ index 4b480bd2c1..6b44436a2b 100644 # RHEL-08-040260 - sysctl_net_ipv6_conf_all_forwarding -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index a613a152ae..9480db3eae 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -176,7 +176,6 @@ CCE-86216-9 - CCE-86217-7 - CCE-86218-5 - CCE-86219-3 --CCE-86220-1 - CCE-86221-9 - CCE-86222-7 - CCE-86223-5 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 4bee72830d..47f53a9d02 100644 +index 4bee72830d0..47f53a9d023 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,7 +1,7 @@ @@ -157,7 +167,7 @@ index 4bee72830d..47f53a9d02 100644 - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index ece32d06a6..c4e60ddcde 100644 +index ece32d06a6f..c4e60ddcde5 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -405,13 +405,13 @@ selections: @@ -175,6 +185,3 @@ index ece32d06a6..c4e60ddcde 100644 - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch b/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch similarity index 85% rename from scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch rename to scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch index 5bc5ac5..36aa0be 100644 --- a/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch +++ b/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch @@ -1,11 +1,9 @@ -From 44bcccbe3a3b00ef1151089b0faacf82770bdc98 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Tue, 9 Aug 2022 13:09:07 -0500 -Subject: [PATCH 8/8] Merge pull request #9318 from - ggbecker/reintroduce-sshd-timeout +From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 9 Aug 2022 17:28:33 +0200 +Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG + profile. -Patch-name: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch -Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile --- .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 + .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 + @@ -15,7 +13,7 @@ Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index 46ea0558a4..1e9c617275 100644 +index 46ea0558a42..1e9c6172758 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -57,6 +57,7 @@ references: @@ -27,7 +25,7 @@ index 46ea0558a4..1e9c617275 100644 stigid@sle15: SLES-15-010280 stigid@ubuntu2004: UBTU-20-010037 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -index 0f0693ddc6..f6e98a61d9 100644 +index 0f0693ddc6c..f6e98a61d9a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -53,6 +53,7 @@ references: @@ -39,7 +37,7 @@ index 0f0693ddc6..f6e98a61d9 100644 stigid@sle15: SLES-15-010320 vmmsrg: SRG-OS-000480-VMM-002000 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 6b44436a2b..124b7520d3 100644 +index 6b44436a2b1..124b7520d3a 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -170,13 +170,13 @@ selections: @@ -64,7 +62,7 @@ index 6b44436a2b..124b7520d3 100644 # RHEL-08-010210 - file_permissions_var_log_messages diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 47f53a9d02..6c75d0ae1b 100644 +index 47f53a9d023..6c75d0ae1b1 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -369,6 +369,8 @@ selections: @@ -77,7 +75,7 @@ index 47f53a9d02..6c75d0ae1b 100644 - sshd_x11_use_localhost - sssd_certificate_verification diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index c4e60ddcde..8a7a469b94 100644 +index c4e60ddcde5..8a7a469b940 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -379,6 +379,8 @@ selections: @@ -89,6 +87,3 @@ index c4e60ddcde..8a7a469b94 100644 - sshd_use_strong_rng - sshd_x11_use_localhost - sssd_certificate_verification --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch b/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch similarity index 74% rename from scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch rename to scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch index fee7c4d..da41301 100644 --- a/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch +++ b/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch @@ -1,11 +1,10 @@ -From 07261c69afcdc5f9afcdd5aefc2ee9510d705f37 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 3 Aug 2022 13:08:25 +0200 -Subject: [PATCH 6/8] Merge pull request #9283 from - yuumasato/accept_sudoers_without_includes +From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Aug 2022 15:57:52 +0200 +Subject: [PATCH 1/2] Accept sudoers files without includes as compliant -Patch-name: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch -Patch-status: Accept sudoers files without includes as compliant +Update rule sudoers_default_includedir to accept as compliant sudoers +files that don't have any #include or #includedir directive --- .../oval/shared.xml | 24 +++++++++++++++---- .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- @@ -14,7 +13,7 @@ Patch-status: Accept sudoers files without includes as compliant rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -index 59cab0b89d..82095acc6e 100644 +index 59cab0b89de..629fbe8c6d2 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -1,10 +1,16 @@ @@ -32,8 +31,8 @@ index 59cab0b89d..82095acc6e 100644 + + + -+ -+ ++ ++ + @@ -56,7 +55,7 @@ index 59cab0b89d..82095acc6e 100644 comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1"> diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -index aa2aaee19f..83bfb0183b 100644 +index aa2aaee19f8..83bfb0183bd 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -8,9 +8,11 @@ description: |- @@ -78,7 +77,7 @@ diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/test similarity index 51% rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -index 1e0ab8aea9..fe73cb2507 100644 +index 1e0ab8aea92..fe73cb25076 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh @@ -1,4 +1,4 @@ @@ -87,6 +86,28 @@ index 1e0ab8aea9..fe73cb2507 100644 -sed -i "/#includedir.*/d" /etc/sudoers +sed -i "/#include(dir)?.*/d" /etc/sudoers --- -2.37.1 +From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 12:01:12 +0200 +Subject: [PATCH 2/2] Improve definition's comments + +--- + .../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +index 629fbe8c6d2..82095acc6ed 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +@@ -8,8 +8,8 @@ + + + +- +- ++ ++ + + + diff --git a/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch b/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch similarity index 55% rename from scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch rename to scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch index 8b32f40..19343f2 100644 --- a/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch +++ b/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch @@ -1,91 +1,39 @@ -From b4f98a72871d3f8f277e3357eed843b041a248a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 4 Aug 2022 14:20:20 +0200 -Subject: [PATCH 7/8] Merge pull request #9286 from - yuumasato/update_sysctl_rules_with_new_compliant_values +From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 09:57:33 +0200 +Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values -Update few sysctl rules to accept multiple compliant values - -Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch -Patch-status: Update few sysctl rules to accept multiple compliant values +This also removes value '0' from the list of possible configurations. +This change aligns the rule better with STIG. --- - .../rule.yml | 35 +++++++++++++++++-- - .../tests/value_1.pass.sh | 11 ++++++ - .../tests/value_2.pass.sh | 11 ++++++ - ...sctl_net_ipv4_conf_all_rp_filter_value.var | 2 +- - .../sysctl_kernel_kptr_restrict/rule.yml | 35 ++++++++++++++++++- - .../tests/value_1.pass.sh | 11 ++++++ - .../tests/value_2.pass.sh | 11 ++++++ - .../sysctl_kernel_kptr_restrict_value.var | 1 - - ...kernel_unprivileged_bpf_disabled_value.var | 1 - - 9 files changed, 112 insertions(+), 6 deletions(-) + .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++ + .../tests/value_1.pass.sh | 10 ++++++++++ + .../tests/value_2.pass.sh | 10 ++++++++++ + .../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +- + 4 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 496a8491f3..4d31c6c3eb 100644 +index 496a8491f32..697f79fa872 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -47,11 +47,36 @@ references: - stigid@rhel7: RHEL-07-040611 - stigid@rhel8: RHEL-08-040285 - --{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} -+ocil: |- -+ The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -+ by running the following command: -+ 
$ sysctl net.ipv4.conf.all.rp_filter
-+ The output of the command should indicate either: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ The output of the command should not indicate: -+ net.ipv4.conf.all.rp_filter = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent sysctl parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0" - - fixtext: |- - Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces. -- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}} -+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}} - - srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.' - -@@ -59,4 +84,10 @@ template: +@@ -59,4 +59,8 @@ template: name: sysctl vars: sysctlvar: net.ipv4.conf.all.rp_filter -+ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" -+ {{% endif %}} datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh new file mode 100644 -index 0000000000..583b70a3b9 +index 00000000000..516bfaf1369 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ +@@ -0,0 +1,10 @@ +#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* @@ -97,12 +45,11 @@ index 0000000000..583b70a3b9 +sysctl -w net.ipv4.conf.all.rp_filter="1" diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh new file mode 100644 -index 0000000000..ef545976dc +index 00000000000..ef1b8da0479 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ +@@ -0,0 +1,10 @@ +#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* @@ -113,7 +60,7 @@ index 0000000000..ef545976dc +# set correct runtime value to check if the filesystem configuration is evaluated properly +sysctl -w net.ipv4.conf.all.rp_filter="2" diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -index e3fc78e3f0..1eae854f6b 100644 +index e3fc78e3f05..1eae854f6b0 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var @@ -17,5 +17,5 @@ interactive: false @@ -123,68 +70,45 @@ index e3fc78e3f0..1eae854f6b 100644 - disabled: "0" enabled: 1 + loose: 2 + +From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 10:53:40 +0200 +Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values + +This also removes value '0' from the list of possible configurations. +This change aligns the rule better with STIG. +--- + .../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++ + .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++ + .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++ + .../sysctl_kernel_kptr_restrict_value.var | 1 - + 4 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh + diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index 1984b3c869..367934b567 100644 +index 1984b3c8691..5706eee0a0a 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -34,6 +34,33 @@ references: - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} - -+ocil: |- -+ The runtime status of the kernel.kptr_restrict kernel parameter can be queried -+ by running the following command: -+ 
$ sysctl kernel.kptr_restrict
-+ The output of the command should indicate either: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ The output of the command should not indicate: -+ kernel.kptr_restrict = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0" -+ - srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.' - - platform: machine -@@ -42,8 +69,14 @@ template: +@@ -42,6 +42,10 @@ template: name: sysctl vars: sysctlvar: kernel.kptr_restrict -+ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" -+ {{% endif %}} datatype: int fixtext: |- - Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access. -- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}} -+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh new file mode 100644 -index 0000000000..70189666c1 +index 00000000000..e6efae48b25 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ +@@ -0,0 +1,10 @@ +#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* @@ -196,12 +120,11 @@ index 0000000000..70189666c1 +sysctl -w kernel.kptr_restrict="1" diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh new file mode 100644 -index 0000000000..209395fa9a +index 00000000000..be3f2b743ef --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ +@@ -0,0 +1,10 @@ +#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* @@ -212,7 +135,7 @@ index 0000000000..209395fa9a +# set correct runtime value to check if the filesystem configuration is evaluated properly +sysctl -w kernel.kptr_restrict="2" diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -index 452328e3ef..268550de53 100644 +index 452328e3efd..268550de53d 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var @@ -12,6 +12,5 @@ interactive: false @@ -222,8 +145,20 @@ index 452328e3ef..268550de53 100644 - 0: 0 1: 1 2: 2 + +From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 11:08:34 +0200 +Subject: [PATCH 3/5] Remove variable selector that will result in error + +The rule only accepts values 1 or 2 as compliant, the XCCDF Variable +cannot have the value 0, it will never result in pass. +--- + .../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 - + 1 file changed, 1 deletion(-) + diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -index b8bf965a25..cbfd9bafa9 100644 +index b8bf965a255..cbfd9bafa91 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var @@ -13,6 +13,5 @@ interactive: false @@ -233,6 +168,191 @@ index b8bf965a25..cbfd9bafa9 100644 - 0: "0" 1: "1" 2: "2" --- -2.37.1 +From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 11:33:03 +0200 +Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol + +For now, the only STIGs I see that adopted this change were RHEL's and +OL's. +--- + .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++ + .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 + + .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 + + .../sysctl_kernel_kptr_restrict/rule.yml | 2 ++ + .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 + + .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 + + 6 files changed, 8 insertions(+) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 697f79fa872..f04ae37c13d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -59,8 +59,10 @@ template: + name: sysctl + vars: + sysctlvar: net.ipv4.conf.all.rp_filter ++ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" ++ {{% endif %}} + datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +index 516bfaf1369..583b70a3b97 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +index ef1b8da0479..ef545976dc6 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index 5706eee0a0a..f53e035effa 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -42,10 +42,12 @@ template: + name: sysctl + vars: + sysctlvar: kernel.kptr_restrict ++ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" ++ {{% endif %}} + datatype: int + + fixtext: |- +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +index e6efae48b25..70189666c16 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +index be3f2b743ef..209395fa9a1 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 14:01:40 +0200 +Subject: [PATCH 5/5] Update OCIL check along with the rule + +The OCIL should should mention both compliant values. +--- + .../rule.yml | 29 +++++++++++++++++-- + .../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++- + 2 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index f04ae37c13d..4d31c6c3ebd 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -47,11 +47,36 @@ references: + stigid@rhel7: RHEL-07-040611 + stigid@rhel8: RHEL-08-040285 + +-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} ++ocil: |- ++ The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried ++ by running the following command: ++ 
$ sysctl net.ipv4.conf.all.rp_filter
++ The output of the command should indicate either: ++ net.ipv4.conf.all.rp_filter = 1 ++ or: ++ net.ipv4.conf.all.rp_filter = 2 ++ The output of the command should not indicate: ++ net.ipv4.conf.all.rp_filter = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent sysctl parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the 
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++ 
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ net.ipv4.conf.all.rp_filter = 1 ++ or: ++ net.ipv4.conf.all.rp_filter = 2 ++ ++ Conflicting assignments are not allowed. ++ ++ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0" + + fixtext: |- + Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces. +- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}} ++ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}} + + srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.' + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index f53e035effa..367934b5672 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -34,6 +34,33 @@ references: + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} + ++ocil: |- ++ The runtime status of the kernel.kptr_restrict kernel parameter can be queried ++ by running the following command: ++ 
$ sysctl kernel.kptr_restrict
++ The output of the command should indicate either: ++ kernel.kptr_restrict = 1 ++ or: ++ kernel.kptr_restrict = 2 ++ The output of the command should not indicate: ++ kernel.kptr_restrict = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the 
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++ 
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.kptr_restrict = 1 ++ or: ++ kernel.kptr_restrict = 2 ++ ++ Conflicting assignments are not allowed. ++ ++ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0" ++ + srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.' + + platform: machine +@@ -52,4 +79,4 @@ template: + + fixtext: |- + Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access. +- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}} ++ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}} diff --git a/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch b/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch similarity index 41% rename from scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch rename to scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch index 916116c..1f8f5b0 100644 --- a/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch +++ b/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch @@ -1,273 +1,54 @@ -From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Tue, 2 Aug 2022 13:21:45 +0200 -Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728 +From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 8 Jul 2022 17:51:57 +0200 +Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP -Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch -Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile +Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule +requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default +is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf +programs and all users, and it turns on constants blinding by using +random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 +differ is the constants blinding for CAP_SYS_ADMIN processes in the +initial user namespaces. The extra constants blinding with +bpf_jit_harden=2 does not really help with CVE mitigation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 --- - docs/templates/template_reference.md | 24 +- - .../rule.yml | 82 +++++++ - .../tests/system_default.pass.sh | 5 + - .../tests/test_config.yml | 6 + - .../tests/value_0.fail.sh | 11 + - .../tests/value_1.pass.sh | 11 + - .../tests/value_2.pass.sh | 11 + - ...kernel_unprivileged_bpf_disabled_value.var | 18 ++ - products/rhel9/profiles/ospp.profile | 4 +- - .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- - shared/references/cce-redhat-avail.txt | 1 - - shared/templates/sysctl/ansible.template | 2 +- - shared/templates/sysctl/bash.template | 2 +- - shared/templates/sysctl/oval.template | 213 +++++++++++------- - shared/templates/sysctl/template.py | 24 +- - 15 files changed, 316 insertions(+), 102 deletions(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var + products/rhel9/profiles/ospp.profile | 1 - + 1 file changed, 1 deletion(-) -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index a439e3dca9..e73b95450f 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this -- parameter is not specified, XCCDF Value is used instead. -+ - **sysctlval** - value of the sysctl value. This can be either not -+ specified, or an atomic value, eg. `'1'`, or a list of values, -+ eg. `['1','2']`. -+ - If this parameter is not specified, an XCCDF Value is used instead -+ in OVAL check and remediations. The XCCDF Value should have a file -+ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, -+ where the `escaped_sysctlvar` is a value of the **sysctlvar** -+ parameter in which all characters that don't match the `\w` regular -+ expression are replaced by an underscore (`_`). -+ - If this parameter is set to an atomic value, this atomic value -+ will be used in OVAL check and remediations. -+ - If this parameter is set to a list of values, the list will be used -+ in the OVAL check, but won't be used in the remediations. -+ All remediations will use an XCCDF value instead. -+ -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This -+ will be used in templated test scenarios when **sysctlval** is a list. -+ -+ - **missing_parameter_pass** - if set to `true` the check will pass if the -+ setting for the given **sysctlvar** is not present in sysctl -+ configuration files. In other words, the check will pass if the system -+ default isn't overriden by configuration. Default value: `false`. - - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -new file mode 100644 -index 0000000000..259d1f901c ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -0,0 +1,82 @@ -+documentation_complete: true -+ -+prodtype: rhel9 -+ -+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' -+ -+description: |- -+ To prevent unprivileged processes from using the bpf() syscall -+ the kernel.unprivileged_bpf_disabled kernel parameter must -+ be set to 1 or 2. -+ -+ Writing 1 to this entry will disable unprivileged calls to bpf(); once -+ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. -+ Once set to 1, this can't be cleared from the running kernel anymore. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ -+ Writing 2 to this entry will also disable unprivileged calls to bpf(), -+ however, an admin can still change this setting later on, if needed, by -+ writing 0 or 1 to this entry. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} -+ -+rationale: |- -+ Loading and accessing the packet filters programs and maps using the bpf() -+ syscall has the potential of revealing sensitive information about the kernel state. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-87712-6 -+ -+references: -+ disa: CCI-000366 -+ nist: AC-6,SC-7(10) -+ ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -+ -+ocil: |- -+ The runtime status of the kernel.unprivileged_bpf_disabled -+ kernel parameter can be queried by running the following command: -+ 
$ sysctl kernel.unprivileged_bpf_disabled
-+ The output of the command should indicate either: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ The output of the command should not indicate: -+ kernel.unprivileged_bpf_disabled = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ -+ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. -+ -+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" -+ -+fixtext: |- -+ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. -+ -+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.unprivileged_bpf_disabled -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" -+ missing_parameter_pass: "true" -+ datatype: int -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -new file mode 100644 -index 0000000000..b9776227bd ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -new file mode 100644 -index 0000000000..5cf6807405 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -0,0 +1,6 @@ -+deny_templated_scenarios: -+ # this rule uses missing_parameter_pass: true which means the check should pass -+ # if the configuration is missing (or commented out) therefore we disable -+ # line_not_there.fail.sh and comment.fail.sh test scenarios -+ - line_not_there.fail.sh -+ - comment.fail.sh -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -new file mode 100644 -index 0000000000..9f19e0140b ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="0" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -new file mode 100644 -index 0000000000..e976db594c ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="1" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -new file mode 100644 -index 0000000000..b1537175eb ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="2" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -new file mode 100644 -index 0000000000..b8bf965a25 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -0,0 +1,18 @@ -+documentation_complete: true -+ -+title: kernel.unprivileged_bpf_disabled -+ -+description: |- -+ Prevent unprivileged processes from using the bpf() syscall. -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: 2 -+ 0: "0" -+ 1: "1" -+ 2: "2" diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index feb96501a9..f27f961a7a 100644 +index 244a421fb48..a7ba9532d2c 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile -@@ -74,8 +74,8 @@ selections: - - sysctl_kernel_yama_ptrace_scope +@@ -75,7 +75,6 @@ selections: - sysctl_kernel_perf_event_paranoid - sysctl_user_max_user_namespaces -- - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_kernel_unprivileged_bpf_disabled - - sysctl_net_core_bpf_jit_harden -+ - sysctl_kernel_unprivileged_bpf_disabled_accept_default -+ - sysctl_kernel_unprivileged_bpf_disabled_value=2 - service_kdump_disabled ### Audit + +From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Jul 2022 11:24:42 +0200 +Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template + +The sysctl template uses its sysctlvar parameter value as a part of OVAL +object IDs, test IDs and state IDs. That means we can't have multiple +rules using the sysctl template with the same value of sysctlvar +parameter (only differ in other parameters) because there would be +duplicate elements. We will fix this by using the rule ID as a part of +OVAL object IDs, test IDs and state IDs. That will allow to use the +template for the same sysctlvar in different rules. +--- + .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- + shared/templates/sysctl/oval.template | 156 +++++++++--------- + 2 files changed, 80 insertions(+), 80 deletions(-) + diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index 1195cea518..f971d28a04 100644 +index 1195cea518f..f971d28a047 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -19,8 +19,8 @@ @@ -281,72 +62,22 @@ index 1195cea518..f971d28a04 100644 -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index fb2f59fd09..a613a152ae 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1443,7 +1443,6 @@ CCE-87708-4 - CCE-87709-2 - CCE-87710-0 - CCE-87711-8 --CCE-87712-6 - CCE-87713-4 - CCE-87714-2 - CCE-87715-9 -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index c13bb6637f..edc4d3fb66 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index d67a59c388..cd3424b022 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 74583dbee1..1a7c4979bb 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -1,12 +1,20 @@ - {{%- if SYSCTLVAL == "" %}} - {{%- set COMMENT_VALUE="the appropriate value" %}} -+{{%- elif SYSCTLVAL is sequence %}} -+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} - {{%- else %}} - {{%- set COMMENT_VALUE=SYSCTLVAL %}} - {{%- endif %}} +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 74583dbee1d..52671c06402 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -5,8 +5,8 @@ + {{%- endif %}} {{% macro state_static_sysctld(prefix) -%}} - - + -+{{% if SYSCTLVAL is string %}} + -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} {{%- endmacro -%}} {{%- macro sysctl_match() -%}} {{%- if SYSCTLVAL == "" -%}} -@@ -20,13 +28,13 @@ +@@ -20,13 +20,13 @@ {{%- if "P" in FLAGS -%}} @@ -363,7 +94,7 @@ index 74583dbee1..1a7c4979bb 100644 -@@ -34,7 +42,7 @@ +@@ -34,7 +34,7 @@ {{%- elif "I" in FLAGS -%}} @@ -372,7 +103,7 @@ index 74583dbee1..1a7c4979bb 100644 {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} {{% if product in ["ubuntu1604", "ubuntu1804"] %}} -@@ -46,9 +54,9 @@ +@@ -46,9 +46,9 @@ {{% endif %}} -@@ -58,33 +66,41 @@ +@@ -58,33 +58,33 @@ {{%- if "R" in FLAGS -%}} @@ -398,28 +129,19 @@ index 74583dbee1..1a7c4979bb 100644 - + check="all" check_existence="all_exist"> - - -+ check="all" check_existence="all_exist" state_operator="OR"> + -+{{% if SYSCTLVAL is string %}} + -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} - + {{{ SYSCTLVAR }}} -+{{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - + @@ -437,30 +159,13 @@ index 74583dbee1..1a7c4979bb 100644 {{% if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} -@@ -94,133 +110,156 @@ - {{% endif %}} - - {{%- endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - - {{%- endif -%}} +@@ -100,46 +100,46 @@ {{%- if "S" in FLAGS -%}} - + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} -+ -+{{% endif %}} {{% endif %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} -+ -+ -+{{% endif %}} - -+ -+ -+{{% endif %}} -+ + + check="all" check_existence="all_exist" + comment="{{{ SYSCTLVAR }}} static configuration"> {{{ state_static_sysctld("sysctl") }}} - + + comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf"> {{{ state_static_sysctld("etc_sysctld") }}} - + + comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf"> {{{ state_static_sysctld("run_sysctld") }}} @@ -524,11 +214,9 @@ index 74583dbee1..1a7c4979bb 100644 - -+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf"> {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} +@@ -148,79 +148,79 @@ {{% if target_oval_version >= [5, 11] %}} @@ -714,9 +402,8 @@ index 74583dbee1..1a7c4979bb 100644 /usr/lib/sysctl.d ^.*\.conf$ {{{ sysctl_match() }}} - +@@ -288,15 +288,15 @@ {{% endif %}} -+{{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - @@ -735,33 +422,105 @@ index 74583dbee1..1a7c4979bb 100644 {{% if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} {{% else %}} -@@ -304,5 +344,12 @@ - {{% endif %}} - + +From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:16:45 +0200 +Subject: [PATCH 03/23] Use a list of values in sysctl template + +This patch adds an ability to use a list of values instead of a single +value in the sysctlval parameter of the sysctl template. This is useful +for situations when we want to create a rule that passes for multiple +different sysctl values. This commit modifies the OVAL for the runtime +configuration. The runtime configuration will be allowed to be any of +the values in the list. There is an OR relation between the values. In +fact, this is a first step to enable multiple values in the sysctlval +parameter in the sysctl template, because we will also need to check the +static configuration, which is not done in this commit. +--- + shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ + shared/templates/sysctl/template.py | 24 ++++++++++++-------- + 2 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 52671c06402..b73ccc94f72 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -1,5 +1,7 @@ + {{%- if SYSCTLVAL == "" %}} + {{%- set COMMENT_VALUE="the appropriate value" %}} ++{{%- elif SYSCTLVAL is sequence %}} ++{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} + {{%- else %}} + {{%- set COMMENT_VALUE=SYSCTLVAL %}} + {{%- endif %}} +@@ -60,21 +62,43 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} ++{{% if SYSCTLVAL is string %}} + + + ++{{% elif SYSCTLVAL is sequence %}} ++ ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++ ++{{% endif %}} + ++ ++{{% if SYSCTLVAL is string %}} + + + + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% endfor %}} ++{{% endif %}} + + + {{{ SYSCTLVAR }}} + ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + + {{%- endif %}} +{{% elif SYSCTLVAL is sequence %}} +{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ ++ ++ {{{ x }}} ++ +{{% endfor %}} +{{% endif %}} + {{%- endif -%}} diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index fa981a9dce..9083a6a418 100644 +index fa981a9dce9..c62591357c0 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py -@@ -11,8 +11,19 @@ def preprocess(data, lang): - data["flags"] = "SR" + ipv6_flag +@@ -12,6 +12,13 @@ def preprocess(data, lang): if "operation" not in data: data["operation"] = "equals" -+ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: -+ raise ValueError( -+ "The sysctlval parameter of {0} is an empty list".format( -+ data["_rule_id"])) - # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" @@ -769,21 +528,26 @@ index fa981a9dce..9083a6a418 100644 + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + + # Configure data for test scenarios if data["sysctlval"] == "": if data["datatype"] == "int": - data["sysctl_correct_value"] = "0" -@@ -20,20 +31,13 @@ def preprocess(data, lang): +@@ -20,20 +27,19 @@ def preprocess(data, lang): elif data["datatype"] == "string": data["sysctl_correct_value"] = "correct_value" data["sysctl_wrong_value"] = "wrong_value" - else: -- raise ValueError( ++ elif isinstance(data["sysctlval"], list): ++ if len(data["sysctlval"]) == 0: + raise ValueError( - "Test scenarios for data type '{0}' are not implemented yet.\n" - "Please check if rule '{1}' has correct data type and edit " - "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) -+ elif isinstance(data["sysctlval"], list): ++ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) + data["sysctl_correct_value"] = data["sysctlval"][0] -+ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] ++ if data["datatype"] == "int": ++ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] ++ elif data["datatype"] == "string": ++ data["sysctl_wrong_value"] = "wrong_value" else: data["sysctl_correct_value"] = data["sysctlval"] if data["datatype"] == "int": @@ -796,6 +560,1329 @@ index fa981a9dce..9083a6a418 100644 - "Please check if rule '{1}' has correct data type and edit " - "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) return data --- -2.37.1 +From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:47:51 +0200 +Subject: [PATCH 04/23] Move check unrelated to the test scenarios + +The check for an mepty list is unrelated to the test scenarios, +rather is a generic check to avoid problems during the build. +Therefore, it shouldn't be inside code block that is handling +data for test scenarios, but can be extracted to a sooner position. +--- + shared/templates/sysctl/template.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index c62591357c0..421e42c6ca1 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -11,7 +11,12 @@ def preprocess(data, lang): + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" ++ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: ++ raise ValueError( ++ "The sysctlval parameter of {0} is an empty list".format( ++ data["_rule_id"])) + ++ # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" +@@ -19,7 +24,6 @@ def preprocess(data, lang): + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + +- # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": + data["sysctl_correct_value"] = "0" +@@ -28,9 +32,6 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- if len(data["sysctlval"]) == 0: +- raise ValueError( +- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) + data["sysctl_correct_value"] = data["sysctlval"][0] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] + +From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 11:57:50 +0200 +Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration + +This extends the OVAL checks for sysctl static configuration +to enable a list of values instead of a single value in the +sysctlval parameter of the sysctl template. The template +will generate OVAL tests for each value in the sysctlval +list. +--- + shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index b73ccc94f72..4e1bf3cfce3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -136,6 +136,7 @@ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + ++{{% if SYSCTLVAL is string %}} + + +@@ -146,6 +147,21 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++{{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++{{% endif %}} ++{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -154,6 +170,7 @@ + + + ++{{% if SYSCTLVAL is string %}} + +@@ -177,6 +194,37 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++ ++ ++ ++{{% endif %}} ++{{% endfor %}} ++{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + + {{% endif %}} ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + +@@ -336,5 +385,12 @@ + {{% endif %}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + {{%- endif -%}} + +From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 14:55:28 +0200 +Subject: [PATCH 06/23] Add option to allow system default + +Introduce new template option `missing_static_pass` to the +systemctl template. If this option is set to `"true"` in rule.yml +the OVAL will be generated in a way that the check will pass if +there is no sysctl static configuration option in the watched sysctl +configuration files. In other words, the OVAL check will pass if +the system default isn't overridden. +--- + shared/templates/sysctl/oval.template | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 4e1bf3cfce3..1719a59f9c7 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -134,6 +134,9 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++{{% endif %}} + + + {{% if SYSCTLVAL is string %}} +@@ -168,8 +171,20 @@ + + {{% endif %}} + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++{{% endif %}} + + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++ ++{{% endif %}} ++ + {{% if SYSCTLVAL is string %}} + +Date: Wed, 13 Jul 2022 17:02:35 +0200 +Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation + +A new parameter sysctlval_remediate is introduced to the sysctl +template. This allows to choose which of the multiple values in +the sysctl list will be used in the Bash and Ansible remediations. +--- + docs/templates/template_reference.md | 8 ++++++++ + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 +++++----- + shared/templates/sysctl/template.py | 9 +++++++++ + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index a439e3dca94..5785f1d453f 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo + - **sysctlval** - value of the sysctl value, eg. `'1'`. If this + parameter is not specified, XCCDF Value is used instead. + ++ - **sysctlval_remediate** - the value that will be used in remediations. ++ If **sysctlval_remediate** is not specified, the template will use the ++ value of the **sysctlval** parameter in the remediations. ++ This parameter is mandatory when the **sysctlval** parameter is a list ++ because we need to know which of the values in the list the system ++ should be remedied to. When the **sysctlval** parameter is not a list ++ this parameter is optional. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index c13bb6637fe..7724db5e5ff 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL }}}" ++ value: "{{{ SYSCTLVAL_REMEDIATE }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index d67a59c3886..63948bd5a26 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 421e42c6ca1..2574d5d42b0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,6 +16,15 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + ++ if not data.get("sysctlval_remediate"): ++ if isinstance(data["sysctlval"], list): ++ raise ValueError( ++ "Problem with rule {0}: the 'sysctlval' parameter is a list " ++ "but we are missing the 'sysctlval_remediate' parameter, so " ++ "we don't know how to generate remediation content.".format( ++ data["_rule_id"])) ++ data["sysctlval_remediate"] = data["sysctlval"] ++ + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + +From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:10:16 +0200 +Subject: [PATCH 08/23] Introduce new rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +This rule is very similar to the existing rule +sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl +setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the +rule will pass when the explicit configuration isn't present, allowing +to honor the system's default value which is 2. The goal of this rule is +to prevent unnecessary modification of the RHEL system default value +while still checking for the secure configuration. + +See the explanation in +https://bugzilla.redhat.com/show_bug.cgi?id=2081728: +sysctl_kernel_unprivileged_bpf_disabled sets the +kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the +kernel supports new value 2 which per +https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled +makes it for a privileged admin to re-enable unprivileged BPF. The value +2 is also the RHEL 9 default. So the current +sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies +the RHEL 9 default. +--- + .../rule.yml | 82 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +new file mode 100644 +index 00000000000..f45769dd2d0 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -0,0 +1,82 @@ ++documentation_complete: true ++ ++prodtype: rhel9 ++ ++title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' ++ ++description: |- ++ To prevent unprivileged processes from using the bpf() syscall ++ the kernel.unprivileged_bpf_disabled kernel parameter must ++ be set to 1 or 2. ++ ++ Writing 1 to this entry will disable unprivileged calls to bpf(); once ++ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. ++ Once set to 1, this can't be cleared from the running kernel anymore. ++ ++ Writing 2 to this entry will also disable unprivileged calls to bpf(), ++ however, an admin can still change this setting later on, if needed, by ++ writing 0 or 1 to this entry. ++ ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ ++rationale: |- ++ Loading and accessing the packet filters programs and maps using the bpf() ++ syscall has the potential of revealing sensitive information about the kernel state. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87712-6 ++ ++references: ++ disa: CCI-000366 ++ nist: AC-6,SC-7(10) ++ ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 ++ stigid@ol8: OL08-00-040281 ++ stigid@rhel8: RHEL-08-040281 ++ ++ocil: |- ++ The runtime status of the kernel.unprivileged_bpf_disabled ++ kernel parameter can be queried by running the following command: ++ 
$ sysctl kernel.unprivileged_bpf_disabled
++ The output of the command should indicate either: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ The output of the command should not indicate: ++ kernel.unprivileged_bpf_disabled = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the 
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++ 
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ ++ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. ++ ++ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" ++ ++fixtext: |- ++ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ ++srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.unprivileged_bpf_disabled ++ sysctlval: ++ - '1' ++ - '2' ++ sysctlval_remediate: "2" ++ missing_static_pass: "true" ++ datatype: int +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..2c2cf12cafe 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1435,7 +1435,6 @@ CCE-87708-4 + CCE-87709-2 + CCE-87710-0 + CCE-87711-8 +-CCE-87712-6 + CCE-87713-4 + CCE-87714-2 + CCE-87715-9 + +From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:21:50 +0200 +Subject: [PATCH 09/23] Add test scenarios for rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +--- + .../tests/system_default.pass.sh | 5 +++++ + .../tests/test_config.yml | 6 ++++++ + .../tests/value_0.fail.sh | 11 +++++++++++ + .../tests/value_1.pass.sh | 11 +++++++++++ + .../tests/value_2.pass.sh | 11 +++++++++++ + 5 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +new file mode 100644 +index 00000000000..b9776227bdb +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +new file mode 100644 +index 00000000000..dbac89b4caa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -0,0 +1,6 @@ ++deny_templated_scenarios: ++ - line_not_there.fail.sh ++ - comment.fail.sh ++ - wrong_value.fail.sh ++ - wrong_value_d_directory.fail.sh ++ - wrong_runtime.fail.sh +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +new file mode 100644 +index 00000000000..9f19e0140b4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="0" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..e976db594c8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="1" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..b1537175eb4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="2" + +From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:14:53 +0200 +Subject: [PATCH 10/23] Use rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default +instead of the rule sysctl_kernel_unprivileged_bpf_disabled +in the RHEL 9 OSPP profile. +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index a7ba9532d2c..19e4878c4b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -74,7 +74,7 @@ selections: + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces +- - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - service_kdump_disabled + + ### Audit + +From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:25:26 +0200 +Subject: [PATCH 11/23] Document that sysctlval can be a list + +--- + docs/templates/template_reference.md | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 5785f1d453f..716407fd5c9 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this ++ - **sysctlval** - value of the sysctl value. This can be either an atomic ++ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this + parameter is not specified, XCCDF Value is used instead. + + - **sysctlval_remediate** - the value that will be used in remediations. + +From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:00:59 +0200 +Subject: [PATCH 12/23] Document the missing_static_pass option + +--- + docs/templates/template_reference.md | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 716407fd5c9..65da697b808 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **missing_static_pass** - if set to `true` the check will pass if the ++ setting for the given **sysctlvar** is not present in sysctl ++ configuration files. In other words, the check will pass if the system ++ default isn't overriden by configuration. Default value: `false`. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + + +From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:03:53 +0200 +Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter + +When the `sysctalval` parameter is a list, this parameter will be +substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This +is better than current computing of the SYSCTL_WRONG_VALUE parameter +which is done by prepending "1" to the string value, because the +computed value could be invalid and the `sysctl -w` command used in the +test scenario wrong_runtime.fail.sh could fail to set the value to +SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same +time the `missing_static_pass` is set to `true` and the system is set to +system default, then the unchanged runtime would cause the check to pass +and therefore the test scenario wrong_runtime.fail.sh to error. +--- + docs/templates/template_reference.md | 3 +++ + .../rule.yml | 1 + + shared/templates/sysctl/template.py | 7 ++----- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 65da697b808..7e1fc7049cf 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **sysctlval_wrong** - the value that is always wrong. This will be used ++ only in the test scenarios only if **sysctlval** is a list. ++ + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index f45769dd2d0..ddff15dff8f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,6 @@ template: + - '1' + - '2' + sysctlval_remediate: "2" ++ sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2574d5d42b0..96663694997 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -41,11 +41,8 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval"][0] +- if data["datatype"] == "int": +- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] +- elif data["datatype"] == "string": +- data["sysctl_wrong_value"] = "wrong_value" ++ data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:23:59 +0200 +Subject: [PATCH 14/23] Change test_config.yml + +--- + .../tests/test_config.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index dbac89b4caa..c379680e25c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,6 +1,6 @@ + deny_templated_scenarios: ++ # this rule uses missing_static_pass: true which means the check should pass ++ # if the configuration is missing (or commented out) therefore we disable ++ # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh + - comment.fail.sh +- - wrong_value.fail.sh +- - wrong_value_d_directory.fail.sh +- - wrong_runtime.fail.sh + +From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 15 Jul 2022 10:36:05 +0200 +Subject: [PATCH 15/23] Simplify sysctl template + +Instead of using multiple OVAL tests in OR relation we can have +a single OVAL test containing multiple OVAL states in OR relation. +That will simplify the code. +--- + shared/templates/sysctl/oval.template | 82 +++++---------------------- + 1 file changed, 13 insertions(+), 69 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1719a59f9c7..8241c391ad2 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -8,7 +8,13 @@ + + {{% macro state_static_sysctld(prefix) -%}} + ++{{% if SYSCTLVAL is string %}} + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++{{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -62,38 +68,24 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} +-{{% if SYSCTLVAL is string %}} + + + +-{{% elif SYSCTLVAL is sequence %}} +- +-{{% for x in SYSCTLVAL %}} +- +-{{% endfor %}} +- +-{{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + ++ check="all" check_existence="all_exist" state_operator="OR"> + ++{{% if SYSCTLVAL is string %}} + +- + {{% elif SYSCTLVAL is sequence %}} + {{% for x in SYSCTLVAL %}} +- +- + +- + {{% endfor %}} + {{% endif %}} ++ + + + {{{ SYSCTLVAR }}} +@@ -139,7 +131,6 @@ + {{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + + +@@ -150,21 +141,6 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + +-{{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +-{{% endif %}} +-{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -185,61 +161,29 @@ + + {{% endif %}} + +-{{% if SYSCTLVAL is string %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> + {{{ state_static_sysctld("sysctl") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("etc_sysctld") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +- +- +- +-{{% endif %}} +-{{% endfor %}} +-{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + +Date: Mon, 25 Jul 2022 15:40:24 +0200 +Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter + +Replace the sysctlval_remediate template parameter by using an XCCDF +value. The variable would be only used in the remediation and would +allow users to tailor the value, instead of the current solution where +the value is hardcoded and can be only changed during build time. +--- + docs/templates/template_reference.md | 21 +++++++++---------- + .../rule.yml | 1 - + products/rhel9/profiles/ospp.profile | 1 + + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 ++++----- + shared/templates/sysctl/template.py | 11 +--------- + 6 files changed, 20 insertions(+), 30 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 7e1fc7049cf..00f991daae7 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value. This can be either an atomic +- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this +- parameter is not specified, XCCDF Value is used instead. +- +- - **sysctlval_remediate** - the value that will be used in remediations. +- If **sysctlval_remediate** is not specified, the template will use the +- value of the **sysctlval** parameter in the remediations. +- This parameter is mandatory when the **sysctlval** parameter is a list +- because we need to know which of the values in the list the system +- should be remedied to. When the **sysctlval** parameter is not a list +- this parameter is optional. ++ - **sysctlval** - value of the sysctl value. This can be either not ++ specified, or an atomic value, eg. `'1'`, or a list of values, ++ eg. `['1','2']`. ++ - If this parameter is not specified, an XCCDF Value is used instead ++ in OVAL check and remediations. ++ - If this parameter is set to an atomic value, this atomic value ++ will be used in OVAL check and remediations. ++ - If this parameter is set to a list of values, the list will be used ++ in the OVAL check, but won't be used in the remediations. ++ All remediations will use an XCCDF value instead. + + - **sysctlval_wrong** - the value that is always wrong. This will be used + only in the test scenarios only if **sysctlval** is a list. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ddff15dff8f..9936ed777c8 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,7 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_remediate: "2" + sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 19e4878c4b0..b47630c62b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,6 +75,7 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled_accept_default ++ - sysctl_kernel_unprivileged_bpf_disabled_value=2 + - service_kdump_disabled + + ### Audit +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index 7724db5e5ff..edc4d3fb667 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL_REMEDIATE }}}" ++ value: "{{{ SYSCTLVAL }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 63948bd5a26..cd3424b0228 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 96663694997..2b779f99a62 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,15 +16,6 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + +- if not data.get("sysctlval_remediate"): +- if isinstance(data["sysctlval"], list): +- raise ValueError( +- "Problem with rule {0}: the 'sysctlval' parameter is a list " +- "but we are missing the 'sysctlval_remediate' parameter, so " +- "we don't know how to generate remediation content.".format( +- data["_rule_id"])) +- data["sysctlval_remediate"] = data["sysctlval"] +- + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( +@@ -41,7 +32,7 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_correct_value"] = data["sysctlval"][0] + data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + +From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:47:11 +0200 +Subject: [PATCH 17/23] Rename a template parameter + +Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing +--- + docs/templates/template_reference.md | 4 ++-- + .../rule.yml | 2 +- + shared/templates/sysctl/template.py | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 00f991daae7..4e6357c1579 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **sysctlval_wrong** - the value that is always wrong. This will be used +- only in the test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used ++ only in the templated test scenarios only if **sysctlval** is a list. + + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 9936ed777c8..b8af4f7560d 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,6 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_wrong: "0" ++ wrong_sysctlval_for_testing: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2b779f99a62..9083a6a4185 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -33,7 +33,7 @@ def preprocess(data, lang): + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): + data["sysctl_correct_value"] = data["sysctlval"][0] +- data["sysctl_wrong_value"] = data["sysctlval_wrong"] ++ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:56:26 +0200 +Subject: [PATCH 18/23] Rename parameter missing_static_pass + +Rename the parameter missing_static_pass to missing_parameter_pass +to make the naming consistent with other templates where a parameter +with a similar meaning exist. +--- + docs/templates/template_reference.md | 2 +- + .../rule.yml | 2 +- + .../tests/test_config.yml | 2 +- + shared/templates/sysctl/oval.template | 6 +++--- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 4e6357c1579..0fff58c0a23 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo + - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used + only in the templated test scenarios only if **sysctlval** is a list. + +- - **missing_static_pass** - if set to `true` the check will pass if the ++ - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system + default isn't overriden by configuration. Default value: `false`. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index b8af4f7560d..7d8769a913f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,5 @@ template: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" +- missing_static_pass: "true" ++ missing_parameter_pass: "true" + datatype: int +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index c379680e25c..5cf68074050 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,5 +1,5 @@ + deny_templated_scenarios: +- # this rule uses missing_static_pass: true which means the check should pass ++ # this rule uses missing_parameter_pass: true which means the check should pass + # if the configuration is missing (or commented out) therefore we disable + # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 8241c391ad2..1a7c4979bbe 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -126,7 +126,7 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + {{% endif %}} + +@@ -147,13 +147,13 @@ + + {{% endif %}} + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + + {{% endif %}} + + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + +From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 16:26:03 +0200 +Subject: [PATCH 19/23] Add a variable + sysctl_kernel_unprivileged_bpf_disabled_value + +--- + ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +new file mode 100644 +index 00000000000..b8bf965a255 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++title: kernel.unprivileged_bpf_disabled ++ ++description: |- ++ Prevent unprivileged processes from using the bpf() syscall. ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ default: 2 ++ 0: "0" ++ 1: "1" ++ 2: "2" + +From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:09 +0200 +Subject: [PATCH 20/23] Improve documentation of the sysctl template + +--- + docs/templates/template_reference.md | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 0fff58c0a23..e73b95450fe 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo + specified, or an atomic value, eg. `'1'`, or a list of values, + eg. `['1','2']`. + - If this parameter is not specified, an XCCDF Value is used instead +- in OVAL check and remediations. ++ in OVAL check and remediations. The XCCDF Value should have a file ++ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, ++ where the `escaped_sysctlvar` is a value of the **sysctlvar** ++ parameter in which all characters that don't match the `\w` regular ++ expression are replaced by an underscore (`_`). + - If this parameter is set to an atomic value, this atomic value + will be used in OVAL check and remediations. + - If this parameter is set to a list of values, the list will be used + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used +- only in the templated test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This ++ will be used in templated test scenarios when **sysctlval** is a list. + + - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + +From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:34 +0200 +Subject: [PATCH 21/23] Remove RHEL 8 STIG ID + +--- + .../rule.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 7d8769a913f..ec3b5aef82f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -33,8 +33,6 @@ references: + nist: AC-6,SC-7(10) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 +- stigid@ol8: OL08-00-040281 +- stigid@rhel8: RHEL-08-040281 + + ocil: |- + The runtime status of the kernel.unprivileged_bpf_disabled + +From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:47 +0200 +Subject: [PATCH 22/23] Fix a typo + +--- + .../rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ec3b5aef82f..589deccb0c7 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -62,7 +62,7 @@ ocil: |- + ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" + + fixtext: |- +- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. + + srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' + + +From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 27 Jul 2022 10:36:04 +0200 +Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description + +--- + .../rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 589deccb0c7..259d1f901c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -13,11 +13,13 @@ description: |- + disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. + Once set to 1, this can't be cleared from the running kernel anymore. + ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ + Writing 2 to this entry will also disable unprivileged calls to bpf(), + however, an admin can still change this setting later on, if needed, by + writing 0 or 1 to this entry. + +- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} + + rationale: |- + Loading and accessing the packet filters programs and maps using the bpf() diff --git a/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch b/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch new file mode 100644 index 0000000..7e5ee66 --- /dev/null +++ b/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch @@ -0,0 +1,92 @@ +From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 8 Aug 2022 14:34:34 +0200 +Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about + configuring queues + +--- + .../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 4ce56d2e6a5..c73d9ec95a6 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -90,3 +90,20 @@ fixtext: |- + *.* @@[remoteloggingserver]:[port]" + + srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.' ++ ++warnings: ++ - functionality: |- ++ It is important to configure queues in case the client is sending log ++ messages to a remote server. If queues are not configured, there is a ++ danger that the system will stop functioning in case that the connection ++ to the remote server is not available. Please consult Rsyslog ++ documentation for more information about configuration of queues. The ++ example configuration which should go into /etc/rsyslog.conf ++ can look like the following lines: ++ 
++        $ActionQueueType LinkedList
++        $ActionQueueFileName somenameforprefix
++        $ActionQueueMaxDiskSpace 1g
++        $ActionQueueSaveOnShutdown on
++        $ActionResumeRetryCount -1
++
+ +From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Tue, 9 Aug 2022 09:41:00 +0200 +Subject: [PATCH 2/3] Apply suggestions from code review + +Co-authored-by: Watson Yuuma Sato +--- + .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index c73d9ec95a6..706d3265a08 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -95,14 +95,14 @@ warnings: + - functionality: |- + It is important to configure queues in case the client is sending log + messages to a remote server. If queues are not configured, there is a +- danger that the system will stop functioning in case that the connection ++ the system will stop functioning when the connection + to the remote server is not available. Please consult Rsyslog + documentation for more information about configuration of queues. The + example configuration which should go into /etc/rsyslog.conf + can look like the following lines: + 
+         $ActionQueueType LinkedList
+-        $ActionQueueFileName somenameforprefix
++        $ActionQueueFileName queuefilename
+         $ActionQueueMaxDiskSpace 1g
+         $ActionQueueSaveOnShutdown on
+         $ActionResumeRetryCount -1
+
+From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
+From: vojtapolasek 
+Date: Tue, 9 Aug 2022 10:55:04 +0200
+Subject: [PATCH 3/3] Update
+ linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+
+Co-authored-by: Watson Yuuma Sato 
+---
+ .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index 706d3265a08..cce4d5cac1d 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
+ warnings:
+     - functionality: |-
+         It is important to configure queues in case the client is sending log
+-        messages to a remote server. If queues are not configured, there is a
++        messages to a remote server. If queues are not configured,
+         the system will stop functioning when the connection
+         to the remote server is not available. Please consult Rsyslog
+         documentation for more information about configuration of queues. The
diff --git a/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch b/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
deleted file mode 100644
index 7cd6a2d..0000000
--- a/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
+++ /dev/null
@@ -1,2957 +0,0 @@
-From b9a5b670570ad914167f4f5efb85f2f9e3e7479e Mon Sep 17 00:00:00 2001
-From: YuQing 
-Date: Thu, 29 Dec 2022 16:57:11 +0800
-Subject: [PATCH] support anolis8
-
----
- CMakeLists.txt                                |   5 +
- build_product                                 |   1 +
- .../service_avahi-daemon_disabled/rule.yml    |   2 +-
- .../base/service_abrtd_disabled/rule.yml      |   2 +-
- .../base/service_qpidd_disabled/rule.yml      |   2 +-
- .../base/service_rdisc_disabled/rule.yml      |   2 +-
- .../file_groupowner_cron_d/rule.yml           |   2 +-
- .../file_groupowner_cron_daily/rule.yml       |   2 +-
- .../file_groupowner_cron_hourly/rule.yml      |   2 +-
- .../file_groupowner_cron_monthly/rule.yml     |   2 +-
- .../file_groupowner_cron_weekly/rule.yml      |   2 +-
- .../file_groupowner_crontab/rule.yml          |   2 +-
- .../cron_and_at/file_owner_cron_d/rule.yml    |   2 +-
- .../file_owner_cron_daily/rule.yml            |   2 +-
- .../file_owner_cron_hourly/rule.yml           |   2 +-
- .../file_owner_cron_monthly/rule.yml          |   2 +-
- .../file_owner_cron_weekly/rule.yml           |   2 +-
- .../cron_and_at/file_owner_crontab/rule.yml   |   2 +-
- .../file_permissions_cron_d/rule.yml          |   2 +-
- .../file_permissions_cron_daily/rule.yml      |   2 +-
- .../file_permissions_cron_hourly/rule.yml     |   2 +-
- .../file_permissions_cron_monthly/rule.yml    |   2 +-
- .../file_permissions_cron_weekly/rule.yml     |   2 +-
- .../file_permissions_crontab/rule.yml         |   2 +-
- .../file_at_deny_not_exist/rule.yml           |   2 +-
- .../file_cron_deny_not_exist/rule.yml         |   2 +-
- .../file_groupowner_at_allow/rule.yml         |   2 +-
- .../file_groupowner_cron_allow/rule.yml       |   2 +-
- .../file_owner_at_allow/rule.yml              |   2 +-
- .../file_owner_cron_allow/rule.yml            |   2 +-
- .../file_permissions_at_allow/rule.yml        |   2 +-
- .../file_permissions_cron_allow/rule.yml      |   2 +-
- .../cron_and_at/service_atd_disabled/rule.yml |   2 +-
- .../service_crond_enabled/rule.yml            |   2 +-
- .../service_dhcpd_disabled/rule.yml           |   2 +-
- .../package_bind_removed/rule.yml             |   2 +-
- .../service_named_disabled/rule.yml           |   2 +-
- .../service_vsftpd_disabled/rule.yml          |   2 +-
- .../service_httpd_disabled/rule.yml           |   2 +-
- .../service_dovecot_disabled/rule.yml         |   2 +-
- .../service_slapd_disabled/rule.yml           |   2 +-
- .../service_rpcbind_disabled/rule.yml         |   2 +-
- .../service_nfs_disabled/rule.yml             |   2 +-
- .../nis/service_ypserv_disabled/rule.yml      |   2 +-
- .../obsolete/service_rsyncd_disabled/rule.yml |   2 +-
- .../printing/service_cups_disabled/rule.yml   |   2 +-
- .../service_squid_disabled/rule.yml           |   2 +-
- .../service_smb_disabled/rule.yml             |   2 +-
- .../service_snmpd_disabled/rule.yml           |   2 +-
- .../ssh/file_groupowner_sshd_config/rule.yml  |   2 +-
- .../ssh/file_owner_sshd_config/rule.yml       |   2 +-
- .../ssh/file_permissions_sshd_config/rule.yml |   2 +-
- .../banner_etc_issue/rule.yml                 |   2 +-
- .../accounts-banners/banner_etc_motd/rule.yml |   2 +-
- .../file_groupowner_etc_issue/rule.yml        |   2 +-
- .../file_groupowner_etc_motd/rule.yml         |   2 +-
- .../file_owner_etc_issue/rule.yml             |   2 +-
- .../file_owner_etc_motd/rule.yml              |   2 +-
- .../file_permissions_etc_issue/rule.yml       |   2 +-
- .../file_permissions_etc_motd/rule.yml        |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../accounts_password_pam_minclass/rule.yml   |   2 +-
- .../accounts_password_pam_minlen/rule.yml     |   2 +-
- .../accounts_password_pam_retry/rule.yml      |   2 +-
- .../rule.yml                                  |   2 +-
- .../require_emergency_target_auth/rule.yml    |   2 +-
- .../require_singleuser_auth/rule.yml          |   2 +-
- .../rule.yml                                  |   2 +-
- .../account_unique_id/rule.yml                |   2 +-
- .../group_unique_id/rule.yml                  |   2 +-
- .../group_unique_name/rule.yml                |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../no_shelllogin_for_systemaccounts/rule.yml |   2 +-
- .../root_logins/use_pam_wheel_for_su/rule.yml |   2 +-
- .../accounts-session/accounts_tmout/rule.yml  |   2 +-
- .../rule.yml                                  |   2 +-
- .../file_ownership_home_directories/rule.yml  |   2 +-
- .../accounts_umask_etc_bashrc/rule.yml        |   2 +-
- .../audit_rules_file_deletion_events/rule.yml |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../file_groupowner_grub2_cfg/rule.yml        |   2 +-
- .../non-uefi/file_owner_grub2_cfg/rule.yml    |   2 +-
- .../file_permissions_grub2_cfg/rule.yml       |   2 +-
- .../non-uefi/grub2_password/rule.yml          |   2 +-
- .../file_groupowner_efi_grub2_cfg/rule.yml    |   2 +-
- .../uefi/file_owner_efi_grub2_cfg/rule.yml    |   2 +-
- .../file_permissions_efi_grub2_cfg/rule.yml   |   2 +-
- .../uefi/grub2_uefi_password/rule.yml         |   2 +-
- .../journald/journald_compress/rule.yml       |   2 +-
- .../journald_forward_to_syslog/rule.yml       |   2 +-
- .../journald/journald_storage/rule.yml        |   2 +-
- .../package_firewalld_installed/rule.yml      |   2 +-
- .../service_firewalld_enabled/rule.yml        |   2 +-
- .../package_libreswan_installed/rule.yml      |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../sysctl_net_ipv4_tcp_syncookies/rule.yml   |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../sysctl_net_ipv4_ip_forward/rule.yml       |   2 +-
- .../kernel_module_dccp_disabled/rule.yml      |   2 +-
- .../kernel_module_sctp_disabled/rule.yml      |   2 +-
- .../wireless_disable_interfaces/rule.yml      |   2 +-
- .../rule.yml                                  |   2 +-
- .../rule.yml                                  |   2 +-
- .../file_permissions_ungroupowned/rule.yml    |   2 +-
- .../mounting/service_autofs_disabled/rule.yml |   2 +-
- .../disable_users_coredumps/rule.yml          |   2 +-
- .../configure_bind_crypto_policy/rule.yml     |   2 +-
- .../crypto/configure_crypto_policy/rule.yml   |   2 +-
- .../configure_kerberos_crypto_policy/rule.yml |   2 +-
- .../rule.yml                                  |   2 +-
- .../configure_openssl_crypto_policy/rule.yml  |   2 +-
- .../configure_ssh_crypto_policy/rule.yml      |   2 +-
- .../aide/aide_periodic_cron_checking/rule.yml |   2 +-
- .../aide/package_aide_installed/rule.yml      |   2 +-
- .../rpm_verify_hashes/rule.yml                |   2 +-
- .../rpm_verify_permissions/rule.yml           |   2 +-
- .../rule.yml                                  |   2 +-
- .../ensure_redhat_gpgkey_installed/rule.yml   |   2 +-
- .../security_patches_up_to_date/rule.yml      |   2 +-
- products/anolis8/CMakeLists.txt               |   6 +
- products/anolis8/overlays/.gitkeep            |   0
- products/anolis8/product.yml                  |  23 +
- products/anolis8/profiles/standard.profile    | 728 ++++++++++++++++++
- products/anolis8/transforms/constants.xslt    |  10 +
- products/anolis8/transforms/table-style.xslt  |   5 +
- .../transforms/xccdf-apply-overlay-stig.xslt  |   8 +
- .../anolis8/transforms/xccdf2table-cce.xslt   |   9 +
- .../xccdf2table-profileccirefs.xslt           |   9 +
- .../checks/oval/installed_OS_is_anolis8.xml   |  28 +
- .../oval/sysctl_kernel_ipv6_disable.xml       |   1 +
- ssg/constants.py                              |   6 +-
- tests/unit/ssg-module/test_utils.py           |   2 +-
- 163 files changed, 987 insertions(+), 150 deletions(-)
- create mode 100644 products/anolis8/CMakeLists.txt
- create mode 100644 products/anolis8/overlays/.gitkeep
- create mode 100644 products/anolis8/product.yml
- create mode 100644 products/anolis8/profiles/standard.profile
- create mode 100644 products/anolis8/transforms/constants.xslt
- create mode 100644 products/anolis8/transforms/table-style.xslt
- create mode 100644 products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
- create mode 100644 products/anolis8/transforms/xccdf2table-cce.xslt
- create mode 100644 products/anolis8/transforms/xccdf2table-profileccirefs.xslt
- create mode 100644 shared/checks/oval/installed_OS_is_anolis8.xml
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index e7a1ee7f1b..b25c043536 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -69,6 +69,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui
- # unless explicitly asked for.
- option(SSG_PRODUCT_ALINUX2 "If enabled, the Alinux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_ALINUX3 "If enabled, the Alinux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-+option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-@@ -274,6 +275,7 @@ message(STATUS " ")
- message(STATUS "Products:")
- message(STATUS "Alinux 2: ${SSG_PRODUCT_ALINUX2}")
- message(STATUS "Alinux 3: ${SSG_PRODUCT_ALINUX3}")
-+message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
- message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
- message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
- message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
-@@ -345,6 +347,9 @@ endif()
- if (SSG_PRODUCT_ALINUX3)
-     add_subdirectory("products/alinux3" "alinux3")
- endif()
-+if (SSG_PRODUCT_ANOLIS8)
-+    add_subdirectory("products/anolis8" "anolis8")
-+endif()
- if (SSG_PRODUCT_CHROMIUM)
-     add_subdirectory("products/chromium" "chromium")
- endif()
-diff --git a/build_product b/build_product
-index 24ca39b408..011d23afc4 100755
---- a/build_product
-+++ b/build_product
-@@ -299,6 +299,7 @@ set_explict_build_targets() {
- all_cmake_products=(
- 	ALINUX2
- 	ALINUX3
-+	ANOLIS8
- 	CHROMIUM
- 	DEBIAN9
- 	DEBIAN10
-diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
-index a8c094ecb2..0ff67a5f08 100644
---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
-+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Disable Avahi Server Software'
- 
-diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
-index 6abe7b263b..38557afea1 100644
---- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
-+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,uos20
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,uos20
- 
- title: 'Disable Automatic Bug Reporting Tool (abrtd)'
- 
-diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
-index e33eba2efa..c71ce1b230 100644
---- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
-+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
-@@ -1,7 +1,7 @@
- documentation_complete: true
- 
- # package is unlikely to appear on a RHEL9 system, don't extend to RHEL10
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
- 
- title: 'Disable Apache Qpid (qpidd)'
- 
-diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
-index 75e2ada151..7ca16e3864 100644
---- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
-+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
- 
- title: 'Disable Network Router Discovery Daemon (rdisc)'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
-index 908087499e..9916a189e6 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns cron.d'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
-index 821cd13890..100b65a4fd 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns cron.daily'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
-index ab2a16f811..f82f02dd85 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns cron.hourly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
-index 0716370105..c0e0d5c9a6 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,rhel7,anolis8,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns cron.monthly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
-index 32c5f6f8f8..f8f0ec7b2a 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns cron.weekly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
-index 2865d54d83..49eab068de 100644
---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns Crontab'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
-index 68ad645a56..46dcd7834d 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on cron.d'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
-index 371fc9d396..8276930669 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on cron.daily'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
-index f24897bdad..2d440fb041 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on cron.hourly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
-index 187eec8edb..3f67f4460f 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on cron.monthly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
-index f1d67d9bd9..815e388dd0 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on cron.weekly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
-index da2c8fad6d..17f6ad6104 100644
---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on crontab'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
-index a9130cefd5..8739f52446 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on cron.d'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
-index 514ec15e05..787c56cd04 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on cron.daily'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
-index 1a7934b24a..969c1d5e3a 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on cron.hourly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
-index b05c8eab1b..3b3b0eb0ee 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on cron.monthly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
-index d5d4e8db18..112e429da4 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on cron.weekly'
- 
-diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
-index ffa87a2702..044c6c4ac9 100644
---- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on crontab'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
-index 31a2180bcb..677d75d666 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9
-+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9
- 
- title: 'Ensure that /etc/at.deny does not exist'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
-index 9fb0d5b39d..8c79dfde16 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15
- 
- title: 'Ensure that /etc/cron.deny does not exist'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
-index ae516b961a..d78a713258 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns /etc/at.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
-index 8879c0fa2b..58df895763 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns /etc/cron.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
-index c8d7092226..f9b421a587 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004
- 
- title: 'Verify User Who Owns /etc/at.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
-index 9e6670911d..cc75d54f87 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify User Who Owns /etc/cron.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
-index 279d36347e..776c0db6cf 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on /etc/at.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
-index adb16ec6b8..ef366a7927 100644
---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004
- 
- title: 'Verify Permissions on /etc/cron.allow file'
- 
-diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
-index de88deaa2a..91f458db00 100644
---- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
- 
- title: 'Disable At Service (atd)'
- 
-diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-index dbb7c7a06b..ace9ba592f 100644
---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Enable cron Service'
- 
-diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
-index 0eb3829b17..fb9629af78 100644
---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
-+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable DHCP Service'
- 
-diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
-index bc2e7411cf..d0a4064ce3 100644
---- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
-+++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20
-+prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20
- 
- title: 'Uninstall bind Package'
- 
-diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
-index 2acaf85bec..e0cf2d773e 100644
---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
-+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable named Service'
- 
-diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
-index 1b723ce761..dc2813b11d 100644
---- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
-+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable vsftpd Service'
- 
-diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
-index ade2d740c2..27cbd7418f 100644
---- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
-+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable httpd Service'
- 
-diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
-index 920de88bd0..ef3e17c687 100644
---- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
-+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable Dovecot Service'
- 
-diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
-index 9780397e50..8501b6286f 100644
---- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
-+++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel8,rhel9
-+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9
- 
- title: 'Disable LDAP Server (slapd)'
- 
-diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
-index 222dafa3ef..13a1224483 100644
---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
-+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
- 
- title: 'Disable rpcbind Service'
- 
-diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
-index ed3d8881db..42cc6befde 100644
---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
-+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9
-+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9
- 
- title: 'Disable Network File System (nfs)'
- 
-diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
-index 99e527ef10..4f414d3af1 100644
---- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
-+++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel8,rhel9
-+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9
- 
- title: 'Disable ypserv Service'
- 
-diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
-index e3e56f5ea1..cac6fe082b 100644
---- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
-+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Ensure rsyncd service is diabled'
- 
-diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
-index bf9ddbb5f3..dfd5918cf2 100644
---- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml
-+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004
- 
- title: 'Disable the CUPS Service'
- 
-diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
-index 3e3f0f4f26..23d21f512a 100644
---- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
-+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable Squid'
- 
-diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
-index ee7b76b185..4aaeec5dc1 100644
---- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
-+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable Samba'
- 
-diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
-index 0bd8a0129b..fec9e270f3 100644
---- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
-+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15
- 
- title: 'Disable snmpd Service'
- 
-diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
-index feed2148e2..ae9297fb43 100644
---- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
-+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Who Owns SSH Server config file'
- 
-diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
-index f04aa5563c..6b34f4e3de 100644
---- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
-+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Owner on SSH Server config file'
- 
-diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
-index ddad4da469..895528c371 100644
---- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
-+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Permissions on SSH Server config file'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
-index bbb16cd644..ab5eff0320 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Modify the System Login Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
-index cdc981fc3d..3d318ef46b 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Modify the System Message of the Day Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
-index 66a7f83077..f0fd86e8e3 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Ownership of System Login Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
-index 4be94f2b2c..ebcb659853 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify Group Ownership of Message of the Day Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
-index a3d6b97b56..0b6012d2a9 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify ownership of System Login Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
-index d42b843421..5701faa68d 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify ownership of Message of the Day Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
-index 2b9349f75b..111143de2e 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify permissions on System Login Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
-index f5d9279b90..8043b9c07e 100644
---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify permissions on Message of the Day Banner'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
-index 73f2afff87..b4972e25e6 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
- 
- title: 'Limit Password Reuse: password-auth'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
-index fd85b25e98..2bb70d9762 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
- 
- title: 'Limit Password Reuse: system-auth'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-index 37bd49f696..31327aa03f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004
- 
- title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-index 3dc5600b26..267c81b5ae 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
- 
- title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-index 4d1b5ebe4a..733777d0ce 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
- 
- title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-index b35b01c467..4aaf3ff64f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: "Set PAM''s Password Hashing Algorithm"
- 
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-index 1a247ecfb9..a8445adbf7 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Require Authentication for Emergency Systemd Target'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
-index 932d76c36d..318e9c862d 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Require Authentication for Single User Mode'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-index 0cb369e82f..01767ce542 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set Account Expiration Following Inactivity'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
-index de96fd58c4..3469cbf01c 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
- 
- title: 'Ensure All Accounts on the System Have Unique User IDs'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
-index 42a5c3a7b3..4a660ab92e 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15
- 
- title: 'Ensure All Groups on the System Have Unique Group ID'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
-index 756b2ae5bf..33554937a0 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,rhel7,rhel8,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle15
- 
- title: 'Ensure All Groups on the System Have Unique Group Names'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
-index 9384d5a981..ccb42a9749 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set Existing Passwords Maximum Age'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
-index 8e4beddc05..378e2f4c49 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set Existing Passwords Minimum Age'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
-index af6e93ebf7..bc6e82e93d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Ensure that System Accounts Do Not Run a Shell Upon Login'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
-index 9213cc472d..f9a2464f92 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004
- 
- title: 'Enforce usage of pam_wheel for su authentication'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-index 978ddff0ca..f4e0dee229 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set Interactive Session Timeout'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-index 2bd171f3fd..ee8ce9a668 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
-index 4ed84ef0a8..827bb124f4 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
- 
- title: 'All Interactive User Home Directories Must Be Owned By The Primary User'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-index a1e472043f..fd8fcebe81 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Ensure the Default Bash Umask is Set Correctly'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
-index 14e3d2e07b..406b78f8c9 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
- 
- title: 'Ensure auditd Collects File Deletion Events by User'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
-index ab60d66375..63028b39ec 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
-index 3e28446e61..2e2b31ec06 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - creat'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
-index 32ef125722..7f22f2cee8 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
-index 1587662730..3e0220853d 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - open'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
-index 3738f202fc..e44c876b23 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
-index 61f278a9f2..c8552433d3 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - openat'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
-index 0a1e39df2e..4e245ab020 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Record Unsuccessful Access Attempts to Files - truncate'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
-index ac639d5b31..247e9a1aa5 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
-index 56463078fc..aaaf635cd0 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
-index c3e5d7a702..46065fc27a 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
-index 334165f75e..4d4e1338c4 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
-index ca391cc112..099414f33f 100644
---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-index 40a8b787af..fab8602f08 100644
---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
-index e4a08f5876..c1c793e73b 100644
---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Permissions'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
-index 28adf2303e..9472bbe292 100644
---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set Boot Loader Password in grub2'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
-index a7fb015139..4b12d06e13 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8
- 
- title: 'Verify the UEFI Boot Loader grub.cfg Group Ownership'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
-index f8f91f2a49..f577dc1d5a 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8
- 
- title: 'Verify the UEFI Boot Loader grub.cfg User Ownership'
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
-index 348a0fe243..9b1ea037e6 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9
- 
- 
- title: 'Verify the UEFI Boot Loader grub.cfg Permissions'
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
-index ecfee6ada4..35d0c8ca45 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Set the UEFI Boot Loader Password'
- 
-diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
-index 39d727ba86..5e192bbabf 100644
---- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml
-+++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: Ensure journald is configured to compress large log files
- 
-diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
-index ca35dd9370..8bac5b49e8 100644
---- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
-+++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhel7,rhel8,rhel9
-+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9
- 
- title: Ensure journald is configured to send logs to rsyslog
- 
-diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
-index 8176701520..3a5c5e460b 100644
---- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml
-+++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhel7,rhel8,rhel9,sle15
-+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
- 
- title: Ensure journald is configured to write log files to persistent disk
- 
-diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
-index 10750e14ae..bd7a2fbb09 100644
---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
-+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
-+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
- 
- title: 'Install firewalld Package'
- 
-diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
-index 5b43737544..e3d443f584 100644
---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
-+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Verify firewalld Enabled'
- 
-diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
-index 6f110d679b..705c47a4d8 100644
---- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
-+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Install libreswan Package'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
-index 6118cd929d..bd47636f77 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
-index 777bd7c7a1..7a4411d128 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
-index ce64d6e653..be86a4e56e 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
-index b4c1f42b68..eaa6b55d20 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for IPv6 Forwarding'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
-index d45ca63c8d..158f1b9773 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Accepting Router Advertisements on all IPv6 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
-index a42ca1890b..6723e8ab3b 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
-index 49d059ccf5..c2f7d5ef7f 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
-index 9a2c88cde5..29fb46c2f8 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
-index e4e87ff110..3e9d8eef15 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
-index aeecbae5fb..1ebf98a487 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
-index 4d31c6c3eb..5a00b590b5 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
-index abe92e65a5..5dce2c1517 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
-index 47abcc223b..6e0281ea25 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
-index 043f16e26e..1882f1a3eb 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
-index 38602c00b1..6d4a4225c9 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
-index 09ff60235f..2d5b22ec63 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
-index f21dfa912a..bea8153427 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
-index d45ebce67f..983ea889e8 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
-index 4f552dfce9..b841e4e302 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
-index e87793d5f6..0292844c8a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
-index e44509ea33..96fe691e3e 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
-index b3534eb737..9a1049f59a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
-index 7acfc0b05b..bebb4df43e 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
- 
-diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
-index 2087834007..2820608fce 100644
---- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
-+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable DCCP Support'
- 
-diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
-index f8b020fc5a..2a95c3a1df 100644
---- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
-+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Disable SCTP Support'
- 
-diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
-index b3e20e7b0d..31ed5d33c0 100644
---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
-+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Deactivate Wireless Network Interfaces'
- 
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
-index f23bcd31d8..bc87146694 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
-@@ -2,7 +2,7 @@ documentation_complete: true
- 
- title: 'Ensure All SGID Executables Are Authorized'
- 
--prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
- 
- description: |-
-     The SGID (set group id) bit should be set only on files that were
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
-index 73d98ee1fc..f6c7ef7e4e 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
-@@ -2,7 +2,7 @@ documentation_complete: true
- 
- title: 'Ensure All SUID Executables Are Authorized'
- 
--prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
-+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
- 
- description: |-
-     The SUID (set user id) bit should be set only on files that were
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
-index 123f967db0..18c6b37409 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
- 
- title: 'Ensure All Files Are Owned by a Group'
- 
-diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
-index c774309fca..0cca02ba0b 100644
---- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
-+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20
- 
- title: 'Disable the Automounter'
- 
-diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
-index c2c0f05d40..989ad0629f 100644
---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
-+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
- 
- title: 'Disable Core Dumps for All Users'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
-index 870150aadf..03e830776f 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
- 
- title: 'Configure BIND to use System Crypto Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-index de186e7684..92769e5110 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Configure System Cryptography Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
-index 68f748ebf5..3a2df056e7 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
- 
- title: 'Configure Kerberos to use System Crypto Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
-index e769599ae5..09745c9e50 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Configure Libreswan to use System Crypto Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-index 49b35d058d..db7866bdd8 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Configure OpenSSL library to use System Crypto Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-index ab9408af96..573983212d 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Configure SSH to use System Crypto Policy'
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
-index 3b70a5979c..d5abd91d1c 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
-@@ -4,7 +4,7 @@
- 
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Configure Periodic Execution of AIDE'
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
-index 287ac5575e..66720c2c09 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
-+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
- 
- title: 'Install AIDE'
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
-index d3d3224739..94a08024d2 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Verify File Hashes with RPM'
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
-index c51b054612..2c9d3e65d4 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
- 
- title: 'Verify and Correct File Permissions with RPM'
- 
-diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
-index 17fe909be2..22c1776a19 100644
---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
-+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
- 
- title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
- 
-diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
-index 58ae682542..42d87f4c66 100644
---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
-+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20
-+prodtype: alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20
- 
- title: 'Ensure Red Hat GPG Key Installed'
- 
-diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
-index 607846e10f..ac623b8b78 100644
---- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
-+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20
-+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20
- 
- title: 'Ensure Software Patches Installed'
- 
-diff --git a/products/anolis8/CMakeLists.txt b/products/anolis8/CMakeLists.txt
-new file mode 100644
-index 0000000000..5e1cfa01ad
---- /dev/null
-+++ b/products/anolis8/CMakeLists.txt
-@@ -0,0 +1,6 @@
-+# Sometimes our users will try to do: "cd anolis8; cmake ." That needs to error in a nice way.
-+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
-+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
-+endif()
-+
-+ssg_build_product("anolis8")
-diff --git a/products/anolis8/overlays/.gitkeep b/products/anolis8/overlays/.gitkeep
-new file mode 100644
-index 0000000000..e69de29bb2
-diff --git a/products/anolis8/product.yml b/products/anolis8/product.yml
-new file mode 100644
-index 0000000000..b81bb76575
---- /dev/null
-+++ b/products/anolis8/product.yml
-@@ -0,0 +1,23 @@
-+product: anolis8
-+full_name: Anolis OS 8
-+type: platform
-+
-+benchmark_id: ANOLIS-8
-+benchmark_root: "../../linux_os/guide"
-+
-+profiles_root: "./profiles"
-+
-+pkg_manager: "yum"
-+
-+init_system: "systemd"
-+
-+cpes_root: "../../shared/applicability"
-+cpes:
-+  - anolis8:
-+      name: "cpe:/o:anolis:anolis_os:8"
-+      title: "Anolis OS 8"
-+      check_id: installed_OS_is_anolis8
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile
-new file mode 100644
-index 0000000000..a9f86ca49b
---- /dev/null
-+++ b/products/anolis8/profiles/standard.profile
-@@ -0,0 +1,728 @@
-+documentation_complete: true
-+
-+title: 'Standard System Security Profile for Anolis OS 8'
-+
-+description: |-
-+    This profile contains rules to ensure standard security baseline
-+    of a Anolis OS 8 system.
-+
-+selections:
-+    # 1 access-and-control
-+    ## 1.1-ensure-cron-daemon-is-enabled
-+    ### Level 1
-+    - service_crond_enabled
-+
-+    ## 1.2-ensure-permissions-on-etc-crontab-are-configured
-+    ### Level 1
-+    - file_groupowner_crontab
-+    - file_owner_crontab
-+    - file_permissions_crontab
-+
-+    ## 1.3-ensure-permissions-on-etc-cron.hourly-are-configured
-+    ### Level 1
-+    - file_groupowner_cron_hourly
-+    - file_owner_cron_hourly
-+    - file_permissions_cron_hourly
-+
-+    ## 1.4-ensure-permissions-on-etc-cron.daily-are-configured
-+    ### Level 1
-+    - file_groupowner_cron_daily
-+    - file_owner_cron_daily
-+    - file_permissions_cron_daily
-+
-+    ## 1.5-ensure-permissions-on-etc-cron.weekly-are-configured
-+    ### Level 1
-+    - file_groupowner_cron_weekly
-+    - file_owner_cron_weekly
-+    - file_permissions_cron_weekly
-+
-+    ## 1.6-ensure-permissions-on-etc-cron.monthly-are-configured
-+    ### Level 1
-+    - file_groupowner_cron_monthly
-+    - file_owner_cron_monthly
-+    - file_permissions_cron_monthly
-+
-+    ## 1.7-ensure-permissions-on-etc-cron.d-are-configured
-+    ### Level 1
-+    - file_groupowner_cron_d
-+    - file_owner_cron_d
-+    - file_permissions_cron_d
-+
-+    ## 1.8-ensure-at-cron-is-restricted-to-authorized-users
-+    ### Level 1
-+    - file_groupowner_cron_allow
-+    - file_owner_cron_allow
-+    - file_cron_deny_not_exist
-+    - file_groupowner_at_allow
-+    - file_owner_at_allow
-+    - file_at_deny_not_exist
-+    - file_permissions_at_allow
-+    - file_permissions_cron_allow
-+
-+    ## 1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured
-+    ### Level 1
-+    - file_groupowner_sshd_config
-+    - file_owner_sshd_config
-+    - file_permissions_sshd_config
-+
-+    ## 1.10-ensure-ssh-access-is-limited
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured
-+    ### Level 1
-+    - file_permissions_sshd_private_key
-+
-+    ## 1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured
-+    ### Level 1
-+    - file_permissions_sshd_pub_key
-+
-+    ## 1.13-ensure-ssh-loglevel-is-appropriate
-+    ### Level 1
-+    - sshd_set_loglevel_verbose
-+    # or
-+    - sshd_set_loglevel_info
-+
-+    ## 1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less
-+    ### Level 1
-+    - sshd_max_auth_tries_value=4
-+    - sshd_set_max_auth_tries
-+
-+    ## 1.15-ensure-ssh-ignorerhosts-is-enabled
-+    ### Level 1
-+    - sshd_disable_rhosts
-+
-+    ## 1.16-ensure-ssh-hostbasedauthentication-is-disabled
-+    ### Level 1
-+    - disable_host_auth
-+
-+    ## 1.17-ensure-ssh-root-login-is-disabled
-+    ### Level 1
-+    - sshd_disable_root_login
-+
-+    ## 1.18-ensure-ssh-permitemptypasswords-is-disabled
-+    ### Level 1
-+    - sshd_disable_empty_passwords
-+
-+    ## 1.19-ensure-ssh-permituserenvironment-is-disabled
-+    ### Level 1
-+    - sshd_do_not_permit_user_env
-+
-+    ## 1.20-ensure-ssh-idle-timeout-interval-is-configured
-+    ### Level 1
-+    - sshd_idle_timeout_value=15_minutes
-+    - sshd_set_idle_timeout
-+    - sshd_set_keepalive
-+    - var_sshd_set_keepalive=0
-+
-+    ## 1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less
-+    ### Level 1
-+    - sshd_set_login_grace_time
-+    - var_sshd_set_login_grace_time=60
-+
-+    ## 1.22-ensure-ssh-warning-banner-is-configured
-+    ### Level 1
-+    - sshd_enable_warning_banner
-+
-+    ## 1.23-ensure-ssh-pam-is-enabled
-+    ### Level 1
-+    - sshd_enable_pam
-+
-+    ## 1.24-ensure-ssh-maxstartups-is-configured
-+    ### Level 1
-+    - sshd_set_maxstartups
-+    - var_sshd_set_maxstartups=10:30:60
-+
-+    ## 1.25-ensure-ssh-maxsessions-is-set-to-10-or-less
-+    ### Level 1
-+    - sshd_set_max_sessions
-+    - var_sshd_max_sessions=10
-+
-+    ## 1.26-ensure-system-wide-crypto-policy-is-not-over-ridden
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 1.27-ensure-password-creation-requirements-are-configured
-+    ### Level 1
-+    - accounts_password_pam_minclass
-+    - accounts_password_pam_minlen
-+    - accounts_password_pam_retry
-+    - var_password_pam_minclass=4
-+    - var_password_pam_minlen=14
-+
-+    ## 1.28-ensure-lockout-for-failed-password-attempts-is-configured
-+    ### Level 1
-+    - locking_out_password_attempts
-+
-+    ## 1.29-ensure-password-reuse-is-limited
-+    ### Level 1
-+    - accounts_password_pam_pwhistory_remember_password_auth
-+    - accounts_password_pam_pwhistory_remember_system_auth
-+    - var_password_pam_remember_control_flag=required
-+    - var_password_pam_remember=5
-+
-+    ## 1.30-ensure-password-hashing-algorithm-is-sha-512
-+    ### Level 1
-+    - set_password_hashing_algorithm_systemauth
-+
-+    ## 1.31-ensure-password-expiration-is-365-days-or-less
-+    ### Level 1
-+    - accounts_maximum_age_login_defs
-+    - var_accounts_maximum_age_login_defs=365
-+    - accounts_password_set_max_life_existing
-+
-+    ## 1.32-ensure-minimum-days-between-password-changes-is-7-or-more
-+    ### Level 1
-+    - accounts_minimum_age_login_defs
-+    - var_accounts_minimum_age_login_defs=7
-+    - accounts_password_set_min_life_existing
-+
-+    ## 1.33-ensure-password-expiration-warning-days-is-7-or-more
-+    ### Level 1
-+    - accounts_password_warn_age_login_defs
-+    - var_accounts_password_warn_age_login_defs=7
-+
-+    ## 1.34-ensure-inactive-password-lock-is-30-days-or-less
-+    ### Level 1
-+    - account_disable_post_pw_expiration
-+    - var_account_disable_post_pw_expiration=30
-+
-+    ## 1.35-ensure-all-users-last-password-change-date-is-in-the-past
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 1.36-ensure-system-accounts-are-secured
-+    ### Level 1
-+    - no_shelllogin_for_systemaccounts
-+
-+    ## 1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less
-+    ### Level 1
-+    - accounts_tmout
-+    - var_accounts_tmout=15_min
-+
-+    ## 1.38-ensure-default-group-for-the-root-account-is-gid-0
-+    ### Level 1
-+    - accounts_root_gid_zero
-+
-+    ## 1.39-ensure-default-user-umask-is-027-or-more-restrictive
-+    ### Level 1
-+    - accounts_umask_etc_bashrc
-+    - accounts_umask_etc_login_defs
-+    - accounts_umask_etc_profile
-+    - var_accounts_user_umask=027
-+
-+    ## 1.40-ensure-access-to-the-su-command-is-restricted
-+    ### Level 1
-+    - use_pam_wheel_for_su
-+
-+    ## 1.41-ensure-ssh-server-use-protocol_2
-+    ### Level 1
-+    - sshd_allow_only_protocol2
-+
-+    ## 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.2-ensure-only-authorized-users-own-audit-log-files
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.7-ensure-only-authorized-groups-own-the-audit-configuration-files
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.9-ensure-audit-tools-are-owned-by-root
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.10-ensure-audit-tools-are-group-owned-by-root
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.12-ensure-rsyslog-is-installed
-+    ### Level 1
-+    - package_rsyslog_installed
-+
-+    ## 2.13-ensure-rsyslog-service-is-enabled
-+    ### Level 1
-+    - service_rsyslog_enabled
-+
-+    ## 2.14-ensure-rsyslog-default-file-permissions-configured
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host
-+    ### Level 2
-+    - rsyslog_remote_loghost
-+
-+    ## 2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog
-+    ### Level 1
-+    - journald_forward_to_syslog
-+
-+    ## 2.17-ensure-journald-is-configured-to-compress-large-log-files
-+    ### Level 1
-+    - journald_compress
-+
-+    ## 2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk
-+    ### Level 1
-+    - journald_storage
-+
-+    ## 2.19-ensure-audit-is-installed
-+    ### Level 1
-+    - package_audit_installed
-+
-+    ## 2.20-ensure-audit-service-is-enabled
-+    ### Level 3
-+    - service_auditd_enabled
-+
-+    ## 3.1-disable-http-server
-+    ### Level 1
-+    - service_httpd_disabled
-+
-+    ## 3.2-disable-ftp-server
-+    ### Level 1
-+    - service_vsftpd_disabled
-+
-+    ## 3.3-disable-dns-server
-+    ### Level 1
-+    - service_named_disabled
-+
-+    ## 3.4-disable-nfs
-+    ### Level 1
-+    - service_nfs_disabled
-+
-+    ## 3.5-disable-rpc
-+    ### Level 1
-+    - service_rpcbind_disabled
-+
-+    ## 3.6-disable-ldap-server
-+    ### Level 1
-+    - service_slapd_disabled
-+
-+    ## 3.7-disable-dhcp-server
-+    ### Level 1
-+    - service_dhcpd_disabled
-+
-+    ## 3.8-disable-cups
-+    ### Level 1
-+    - service_cups_disabled
-+
-+    ## 3.9-disable-nis-server
-+    ### Level 1
-+    - service_ypserv_disabled
-+
-+    ## 3.10-disable-rsync-server
-+    ### Level 1
-+    - service_rsyncd_disabled
-+
-+    ## 3.11-disable-avahi-server
-+    ### Level 1
-+    - service_avahi-daemon_disabled
-+
-+    ## 3.12-disable-snmp-server
-+    ### Level 1
-+    - service_snmpd_disabled
-+
-+    ## 3.13-disable-http-proxy-server
-+    ### Level 1
-+    - service_squid_disabled
-+
-+    ## 3.14-disable-samba
-+    ### Level 1
-+    - service_smb_disabled
-+
-+    ## 3.15-disable-imap-and-pop3-server
-+    ### Level 1
-+    - service_dovecot_disabled
-+
-+    ## 3.16-disable-smtp-protocol
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 3.17-disable-telnet-port-23
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.1-ensure-message-of-the-day-is-configured-properly
-+    ### Level 1
-+    - banner_etc_motd
-+    - login_banner_text=cis_banners
-+
-+    ## 4.2-ensure-local-login-warning-banner-is-configured-properly
-+    ### Level 1
-+    - banner_etc_issue
-+    - login_banner_text=cis_banners
-+
-+    ## 4.3-ensure-remote-login-warning-banner-is-configured-properly
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.4-ensure-permissions-on-etc-motd-are-configured
-+    ### Level 1
-+    - file_groupowner_etc_motd
-+    - file_owner_etc_motd
-+    - file_permissions_etc_motd
-+
-+    ## 4.5-ensure-permissions-on-etc-issue-are-configured
-+    ### Level 1
-+    - file_groupowner_etc_issue
-+    - file_owner_etc_issue
-+    - file_permissions_etc_issue
-+
-+    ## 4.6-ensure-permissions-on-etc-issue.net-are-configured
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.7-ensure-gpgcheck-is-globally-activated
-+    ### Level 1
-+    - ensure_gpgcheck_globally_activated
-+
-+    ## 4.8-ensure-aide-is-installed
-+    ### Level 1
-+    - package_aide_installed
-+
-+    ## 4.9-ensure-filesystem-integrity-is-regularly-checked
-+    ### Level 1
-+    - aide_periodic_cron_checking
-+
-+    ## 4.10-ensure-bootloader-password-is-set
-+    ### Level 2
-+    - grub2_password
-+
-+    ## 4.11-ensure-permissions-on-bootloader-config-are-configured
-+    ### Level 1
-+    #- file_groupowner_efi_grub2_cfg
-+    - file_groupowner_grub2_cfg
-+    #- file_owner_efi_grub2_cfg
-+    - file_owner_grub2_cfg
-+    #- file_permissions_efi_grub2_cfg
-+    - file_permissions_grub2_cfg
-+
-+    ## 4.12-ensure-authentication-required-for-single-user-mode
-+    ### Level 1
-+    - require_singleuser_auth
-+    - require_emergency_target_auth
-+
-+    ## 4.13-ensure-core-dumps-are-restricted
-+    ### Level 1
-+    - disable_users_coredumps
-+    - sysctl_fs_suid_dumpable
-+    - coredump_disable_backtraces
-+    - coredump_disable_storage
-+
-+    ## 4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled
-+    ### Level 1
-+    - sysctl_kernel_randomize_va_space
-+
-+    ## 4.15-ensure-system-wide-crypto-policy-is-not-legacy
-+    ### Level 1
-+    - configure_crypto_policy
-+    - var_system_crypto_policy=default_policy
-+
-+    ## 4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories
-+    ### Level 1
-+    - dir_perms_world_writable_sticky_bits
-+
-+    ## 4.17-ensure-permissions-on-etc-passwd-are-configured
-+    ### Level 1
-+    - file_permissions_etc_passwd
-+
-+    ## 4.18-ensure-permissions-on-etc-shadow-are-configured
-+    ### Level 1
-+    - file_owner_etc_shadow
-+    - file_groupowner_etc_shadow
-+    - file_permissions_etc_shadow
-+
-+    ## 4.19-ensure-permissions-on-etc-group-are-configured
-+    ### Level 1
-+    - file_groupowner_etc_group
-+    - file_owner_etc_group
-+    - file_permissions_etc_group
-+
-+    ## 4.20-ensure-permissions-on-etc-gshadow-are-configured
-+    ### Level 1
-+    - file_groupowner_etc_gshadow
-+    - file_owner_etc_gshadow
-+    - file_permissions_etc_gshadow
-+
-+    ## 4.21-ensure-permissions-on-etc-passwd--are-configured
-+    ### Level 1
-+    - file_groupowner_backup_etc_passwd
-+    - file_owner_backup_etc_passwd
-+    - file_permissions_backup_etc_passwd
-+
-+    ## 4.22-ensure-permissions-on-etc-shadow--are-configured
-+    ### Level 1
-+    - file_groupowner_backup_etc_shadow
-+    - file_owner_backup_etc_shadow
-+    - file_permissions_backup_etc_shadow
-+
-+    ## 4.23-ensure-permissions-on-etc-group--are-configured
-+    ### Level 1
-+    - file_groupowner_backup_etc_group
-+    - file_owner_backup_etc_group
-+    - file_permissions_backup_etc_group
-+
-+    ## 4.24-ensure-permissions-on-etc-gshadow--are-configured
-+    ### Level 1
-+    - file_groupowner_backup_etc_gshadow
-+    - file_owner_backup_etc_gshadow
-+    - file_permissions_backup_etc_gshadow
-+
-+    ## 4.25-ensure-no-world-writable-files-exist
-+    ### Level 2
-+    - file_permissions_unauthorized_world_writable
-+
-+    ## 4.26-ensure-no-unowned-files-or-directories-exist
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 4.27-ensure-no-ungrouped-files-or-directories-exist
-+    ### Level 2
-+    - file_permissions_ungroupowned
-+
-+    ## 4.28-ensure-no-password-fields-are-not-empty
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 4.29-ensure-root-path-integrity
-+    ### Level 2
-+    - accounts_root_path_dirs_no_write
-+    - root_path_no_dot
-+
-+    ## 4.30-ensure-root-is-the-only-uid-0-account
-+    ### Level 2
-+    - accounts_no_uid_except_zero
-+
-+    ## 4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.32-ensure-users-own-their-home-directories
-+    ### Level 1
-+    - file_ownership_home_directories
-+    - file_groupownership_home_directories
-+
-+    ## 4.33-ensure-users-dot-files-are-not-group-or-world-writable
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.34-ensure-no-users-have-.forward-files
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.35-ensure-no-users-have-.netrc-files
-+    ### Level 1
-+    - no_netrc_files
-+
-+    ## 4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.37-ensure-no-users-have-.rhosts-files
-+    ### Level 1
-+    - no_rsh_trust_files
-+
-+    ## 4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 4.39-ensure-no-duplicate-uids-exist
-+    ### Level 2
-+    - account_unique_id
-+
-+    ## 4.40-ensure-no-duplicate-gids-exist
-+    ### Level 2
-+    - group_unique_id
-+
-+    ## 4.41-ensure-no-duplicate-user-names-exist
-+    ### Level 2
-+    # Needs rule
-+
-+    ## 4.42-ensure-no-duplicate-group-names-exist
-+    ### Level 2
-+    - group_unique_name
-+
-+    ## 4.43-ensure-all-users-home-directories-exist
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.44-ensure-sctp-is-disabled
-+    ### Level 1
-+    - kernel_module_sctp_disabled
-+
-+    ## 4.45-ensure-dccp-is-disabled
-+    ### Level 1
-+    - kernel_module_dccp_disabled
-+
-+    ## 4.46-ensure-wireless-interfaces-are-disabled
-+    ### Level 1
-+    - wireless_disable_interfaces
-+
-+    ## 4.47-ensure-ip-forwarding-is-disabled
-+    ### Level 1
-+    - sysctl_net_ipv4_ip_forward
-+    - sysctl_net_ipv6_conf_all_forwarding
-+    - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-+
-+    ## 4.48-ensure-packet-redirect-sending-is-disabled
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_send_redirects
-+    - sysctl_net_ipv4_conf_default_send_redirects
-+
-+    ## 4.49-ensure-source-routed-packets-are-not-accepted
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_accept_source_route
-+    - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-+    - sysctl_net_ipv4_conf_default_accept_source_route
-+    - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-+    - sysctl_net_ipv6_conf_all_accept_source_route
-+    - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-+    - sysctl_net_ipv6_conf_default_accept_source_route
-+    - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
-+
-+    ## 4.50-ensure-icmp-redirects-are-not-accepted
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_accept_redirects
-+    - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
-+    - sysctl_net_ipv4_conf_default_accept_redirects
-+    - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-+    - sysctl_net_ipv6_conf_all_accept_redirects
-+    - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
-+    - sysctl_net_ipv6_conf_default_accept_redirects
-+    - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-+
-+    ## 4.51-ensure-secure-icmp-redirects-are-not-accepted
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_secure_redirects
-+    - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
-+    - sysctl_net_ipv4_conf_default_secure_redirects
-+    - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
-+
-+    ## 4.52-ensure-suspicious-packets-are-logged
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_log_martians
-+    - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-+    - sysctl_net_ipv4_conf_default_log_martians
-+    - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-+
-+    ## 4.53-ensure-broadcast-icmp-requests-are-ignored
-+    ### Level 1
-+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
-+
-+    ## 4.54-ensure-bogus-icmp-responses-are-ignored
-+    ### Level 1
-+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-+
-+    ## 4.55-ensure-reverse-path-filtering-is-enabled
-+    ### Level 1
-+    - sysctl_net_ipv4_conf_all_rp_filter
-+    - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-+    - sysctl_net_ipv4_conf_default_rp_filter
-+    - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-+
-+    ## 4.56-ensure-tcp-syn-cookies-is-enabled
-+    ### Level 1
-+    - sysctl_net_ipv4_tcp_syncookies
-+    - sysctl_net_ipv4_tcp_syncookies_value=enabled
-+
-+    ## 4.57-ensure-ipv6-router-advertisements-are-not-accepted
-+    ### Level 1
-+    - sysctl_net_ipv6_conf_all_accept_ra
-+    - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-+    - sysctl_net_ipv6_conf_default_accept_ra
-+    - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
-+
-+    ## 4.58-ensure-a-firewall-package-is-installed
-+    ### Level 1
-+    - package_firewalld_installed
-+
-+    ## 4.59-ensure-firewalld-service-is-enabled-and-running
-+    ### Level 1
-+    - service_firewalld_enabled
-+
-+    ## 4.60-ensure-iptables-is-not-enabled
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.61-ensure-nftables-is-not-enabled
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.62-ensure-nftables-service-is-enabled
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.63-ensure-iptables-packages-are-installed
-+    ### Level 1
-+    - package_iptables_installed
-+
-+    ## 4.64-ensure-nftables-is-not-installed
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.66-ensure-system-histsize-as-100-or-other
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 4.67-ensure-system-histfilesize-100
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 5.1-ensure-selinux-is-installed
-+    ### Level 1
-+    # Needs rule
-+
-+    ## 5.2-ensure-selinux-policy-is-configured
-+    ### Level 3
-+    # Needs rule
-+
-+    ## 5.3-ensure-the-selinux-mode-is-enabled
-+    ### Level 3
-+    # Needs rule
-+
-+    ## 5.4-ensure-the-selinux-mode-is-enforcing
-+    ### Level 3
-+    # Needs rule
-+
-+    ## 5.5-ensure-no-unconfined-services-exist
-+    ### Level 4
-+    # Needs rule
-+
-+    ## 5.6-use-selinux-for-separation-of-powers-user-created
-+    ### Level 4
-+    # Needs rule
-+
-+    ## 5.7-use-selinux-for-separation-of-powers-system-administrator-login-permission-configuration
-+    ### Level 4
-+    # Needs rule
-\ No newline at end of file
-diff --git a/products/anolis8/transforms/constants.xslt b/products/anolis8/transforms/constants.xslt
-new file mode 100644
-index 0000000000..c3323b4a52
---- /dev/null
-+++ b/products/anolis8/transforms/constants.xslt
-@@ -0,0 +1,10 @@
-+
-+
-+
-+
-+Anolis OS 8
-+Anolis 8
-+empty
-+anolis
-+
-+
-diff --git a/products/anolis8/transforms/table-style.xslt b/products/anolis8/transforms/table-style.xslt
-new file mode 100644
-index 0000000000..218d0f7542
---- /dev/null
-+++ b/products/anolis8/transforms/table-style.xslt
-@@ -0,0 +1,5 @@
-+
-+
-+
-+
-+
-diff --git a/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
-new file mode 100644
-index 0000000000..4789419b80
---- /dev/null
-+++ b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
-@@ -0,0 +1,8 @@
-+
-+
-+
-+
-+
-+
-+
-+
-diff --git a/products/anolis8/transforms/xccdf2table-cce.xslt b/products/anolis8/transforms/xccdf2table-cce.xslt
-new file mode 100644
-index 0000000000..1ffb22215c
---- /dev/null
-+++ b/products/anolis8/transforms/xccdf2table-cce.xslt
-@@ -0,0 +1,9 @@
-+
-+
-+
-+
-+
-+
-+
-+
-+
-diff --git a/products/anolis8/transforms/xccdf2table-profileccirefs.xslt b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt
-new file mode 100644
-index 0000000000..5a104d956f
---- /dev/null
-+++ b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt
-@@ -0,0 +1,9 @@
-+
-+
-+
-+
-+
-+
-+
-+
-+
-diff --git a/shared/checks/oval/installed_OS_is_anolis8.xml b/shared/checks/oval/installed_OS_is_anolis8.xml
-new file mode 100644
-index 0000000000..c662d8c960
---- /dev/null
-+++ b/shared/checks/oval/installed_OS_is_anolis8.xml
-@@ -0,0 +1,28 @@
-+
-+  
-+    
-+      Anolis OS 8
-+      
-+        multi_platform_all
-+      
-+      
-+      The operating system installed on the system is Anolis OS 8
-+    
-+    
-+      
-+      
-+    
-+  
-+
-+  
-+    
-+    
-+  
-+  
-+    ^8.*$
-+  
-+  
-+    anolis-release
-+  
-+
-+
-diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index f971d28a04..94967843fa 100644
---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -3,6 +3,7 @@
-     
-       Kernel Runtime Parameter IPv6 Check
-       
-+	multi_platform_anolis
- 	multi_platform_debian
- 	multi_platform_example
- 	multi_platform_fedora
-diff --git a/ssg/constants.py b/ssg/constants.py
-index d73c6012f3..1c01f6fead 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -41,6 +41,7 @@ SSG_REF_URIS = {
- product_directories = [
-     'alinux2',
-     'alinux3',
-+    'anolis8',
-     'chromium',
-     'debian9', 'debian10', 'debian11',
-     'example',
-@@ -195,6 +196,7 @@ PKG_MANAGER_TO_CONFIG_FILE = {
- FULL_NAME_TO_PRODUCT_MAPPING = {
-     "Alinux 2": "alinux2",
-     "Alinux 3": "alinux3",
-+    "Anolis OS 8": "anolis8",
-     "Chromium": "chromium",
-     "Debian 9": "debian9",
-     "Debian 10": "debian10",
-@@ -266,11 +268,12 @@ REFERENCES = dict(
- 
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
-                        "opensuse", "sle", "ol", "ocp", "rhcos",
--                       "example", "eks", "alinux", "uos"]
-+                       "example", "eks", "alinux", "uos", "anolis"]
- 
- MULTI_PLATFORM_MAPPING = {
-     "multi_platform_alinux": ["alinux2"],
-     "multi_platform_alinux": ["alinux3"],
-+    "multi_platform_anolis": ["anolis8"],
-     "multi_platform_debian": ["debian9", "debian10", "debian11"],
-     "multi_platform_example": ["example"],
-     "multi_platform_eks": ["eks"],
-@@ -436,6 +439,7 @@ XCCDF_PLATFORM_TO_PACKAGE = {
- # _version_name_map = {
- MAKEFILE_ID_TO_PRODUCT_MAP = {
-     'alinux': 'Alibaba Cloud Linux',
-+    'anolis': 'Anolis OS',
-     'chromium': 'Google Chromium Browser',
-     'fedora': 'Fedora',
-     'firefox': 'Mozilla Firefox',
-diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
-index 095191dd2d..b55a217ab7 100644
---- a/tests/unit/ssg-module/test_utils.py
-+++ b/tests/unit/ssg-module/test_utils.py
-@@ -12,7 +12,7 @@ def test_is_applicable():
- 
-     assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
-     assert not ssg.utils.is_applicable('ol7', 'rhel7')
--    assert not ssg.utils.is_applicable('alinux2,alinux3,fedora,debian9,debian10,debian11,uos20',
-+    assert not ssg.utils.is_applicable('alinux2,alinux3,anolis8,fedora,debian9,debian10,debian11,uos20',
-                                        'rhel7')
- 
- 
--- 
-2.31.1
-
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 1e71b56..db7efc0 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,13 +1,12 @@
-%define anolis_release .0.2
 # Base name of static rhel6 content tarball
 %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
 %global _vpath_builddir build
-%global _default_patch_fuzz 2
+# global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
 
 Name:		scap-security-guide
 Version:	0.1.63
-Release:	1%{anolis_release}%{?dist}
+Release:	4%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -15,37 +14,28 @@ URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 # Include tarball with last released rhel6 content
 Source1:	%{_static_rhel6_content}.tar.bz2
-# Disable profiles that are not in good shape for products/rhel8
-Patch0:	 disable-not-in-good-shape-profiles.patch
-# Update RHEL8 STIG to V1R7
-Patch1:	 scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch
-# Refresh BPF related rules in RHEL 9 OSPP profile
-Patch2:	 scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
-# New sysctl ipv4 forwarding rule
-Patch3:	 scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
-# Add rsyslogd to the list of tools checked by aide
-Patch4:	 scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
-# Accept sudoers files without includes as compliant
-Patch5:	 scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
-# Update few sysctl rules to accept multiple compliant values
-Patch6:	 scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
-# Reintroduce back the sshd timeout rules in RHEL8 STIG profile
-Patch7:	 scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
-# Make OSPP profiles use minimal Authselect profile
-Patch8:	 scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
-# change rules protecting boot in RHEL8 OSPP
-Patch9:	 scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
-# Introduce and apply the "partition exists" platform
-Patch10:	scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
-# Add the platform applicability to relevant rules
-Patch11:	scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
-# Fix ansible partition conditionals
-Patch12:	scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
-# supports Anolis OS 8
-Patch13:	scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
 
 BuildArch:	noarch
 
+# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
+Patch0:		disable-not-in-good-shape-profiles.patch
+Patch1:		scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
+Patch2:		scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
+Patch3:		scap-security-guide-0.1.64-stig_aide-PR_9282.patch
+Patch4:		scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
+Patch5:		scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
+Patch6:		scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
+Patch7:		scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
+Patch8:		scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
+Patch9:		scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
+Patch10:		scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
+Patch11:		scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
+Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
+Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
+Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
+Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
+Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+
 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
@@ -81,15 +71,6 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.
 
-%package        extra
-Summary:        Extra files package
-Group:          System Environment/Base
-Requires:       %{name} = %{version}-%{release}
-
-%description    extra
-The %{name}-extra package contains various situation guidebooks
-
-
 %if ( %{defined rhel} && (! %{defined centos}) )
 %package	rule-playbooks
 Summary:	Ansible playbooks per each rule.
@@ -100,8 +81,6 @@ Requires:	%{name} = %{version}-%{release}
 The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
 %endif
 
-
-
 %prep
 %autosetup -p1 -b1
 
@@ -114,7 +93,6 @@ cd build
 -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
 -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
 -DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
--DSSG_PRODUCT_ANOLIS8:BOOLEAN=TRUE \
 %if %{defined centos}
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
 %else
@@ -137,11 +115,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name
 cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
 
 %files
-%exclude %{_datadir}/%{name}/ansible/rhel*
-%exclude %{_datadir}/%{name}/bash/rhel*
-%exclude %{_datadir}/%{name}/kickstart/ssg-rhel*
-%exclude %{_datadir}/%{name}/tailoring/rhel*
-%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel*
 %{_datadir}/xml/scap/ssg/content
 %{_datadir}/%{name}/kickstart
 %{_datadir}/%{name}/ansible
@@ -159,13 +132,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html
 
-%files extra
-%{_datadir}/%{name}/ansible/rhel*
-%{_datadir}/%{name}/bash/rhel*
-%{_datadir}/%{name}/kickstart/ssg-rhel*
-%{_datadir}/%{name}/tailoring/rhel*
-%{_datadir}/xml/scap/ssg/content/ssg-rhel*
-
 %if ( %{defined rhel} && (! %{defined centos}) )
 %files rule-playbooks
 %defattr(-,root,root,-)
@@ -173,26 +139,34 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
-* Fri Dec 30 2022 Yuqing  - 0.1.63-1.0.2
-- Add product for Anolis8 (#9770)
+* Wed Aug 17 2022 Watson Sato  - 0.1.63-4
+- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
+
+* Mon Aug 15 2022 Watson Sato  - 0.1.63-3
+- Fix Ansible partition conditional (RHBZ#2032403)
+
+* Wed Aug 10 2022 Vojtech Polasek  - 0.1.63-2
+- aligning with the latest STIG update (RHBZ#2112937)
+- OSPP: use Authselect minimal profile (RHBZ#2117192)
+- OSPP: change rules for protecting of boot (RHBZ#2116440)
+- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
+- fix handling of Defaults clause in sudoers (RHBZ#2083109)
+- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
+- fix handling of Rsyslog include directives (RHBZ#2075384)
 
-* Thu Nov 10 2022 Chang Gao  - 0.1.63-1.0.1
-- Add extra package 
+* Mon Aug 01 2022 Vojtech Polasek  - 0.1.63-1
+- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
 
-* Mon Aug 15 2022 Watson Sato  - 0.1.63-1
-- Update to the latest upstream release (RHBZ#2116347)
-- Update RHEL8 STIG profile to V1R7 (RHBZ#2116408)
-- Select grub2_disable_recovery in OSPP Profile (RHBZ#2117308)
-- Use authselect minimal profile in OSPP Profile (RHBZ#2117306)
-- Improve rules for CIS level1 partition options (RHBZ#2117510)
+* Wed Jun 01 2022 Matej Tyc  - 0.1.62-1
+- Rebase to a new upstream release (RHBZ#2070564)
 
 * Tue May 17 2022 Watson Sato  - 0.1.60-9
-- Fix validation of OVAL 5.10 content (RHBZ#2082556)
-- Fix Ansible sysctl remediation (RHBZ#2082556)
+- Fix validation of OVAL 5.10 content (RHBZ#2079241)
+- Fix Ansible sysctl remediation (RHBZ#2079241)
 
 * Tue May 03 2022 Watson Sato  - 0.1.60-8
-- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
-- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
+- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
+- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
 
 * Thu Feb 24 2022 Watson Sato  - 0.1.60-7
 - Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
-- 
Gitee


From 96bf25e738a8b43dc524c8b54a1226e795d23ea3 Mon Sep 17 00:00:00 2001
From: "taifu.gc" 
Date: Thu, 10 Nov 2022 02:22:35 +0800
Subject: [PATCH 2/3] Add extra package

---
 scap-security-guide.spec | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index db7efc0..fd28e68 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 # Base name of static rhel6 content tarball
 %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
@@ -6,7 +7,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.63
-Release:	4%{?dist}
+Release:	4%{anolis_release}%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -71,6 +72,15 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.
 
+%package        extra
+Summary:        Extra files package
+Group:          System Environment/Base
+Requires:       %{name} = %{version}-%{release}
+
+%description    extra
+The %{name}-extra package contains various situation guidebooks
+
+
 %if ( %{defined rhel} && (! %{defined centos}) )
 %package	rule-playbooks
 Summary:	Ansible playbooks per each rule.
@@ -81,6 +91,8 @@ Requires:	%{name} = %{version}-%{release}
 The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
 %endif
 
+
+
 %prep
 %autosetup -p1 -b1
 
@@ -115,6 +127,11 @@ cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name
 cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
 
 %files
+%exclude %{_datadir}/%{name}/ansible/rhel*
+%exclude %{_datadir}/%{name}/bash/rhel*
+%exclude %{_datadir}/%{name}/kickstart/ssg-rhel*
+%exclude %{_datadir}/%{name}/tailoring/rhel*
+%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel*
 %{_datadir}/xml/scap/ssg/content
 %{_datadir}/%{name}/kickstart
 %{_datadir}/%{name}/ansible
@@ -132,6 +149,13 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html
 
+%files extra
+%{_datadir}/%{name}/ansible/rhel*
+%{_datadir}/%{name}/bash/rhel*
+%{_datadir}/%{name}/kickstart/ssg-rhel*
+%{_datadir}/%{name}/tailoring/rhel*
+%{_datadir}/xml/scap/ssg/content/ssg-rhel*
+
 %if ( %{defined rhel} && (! %{defined centos}) )
 %files rule-playbooks
 %defattr(-,root,root,-)
@@ -139,6 +163,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
+* Mon Jan 30 2023 Chang Gao  - 0.1.63-4.0.1
+- Add extra package
+
 * Wed Aug 17 2022 Watson Sato  - 0.1.63-4
 - Fix check of enable_fips_mode on s390x (RHBZ#2070564)
 
-- 
Gitee


From 06f106051407620def574f8cbae5399d7959abce Mon Sep 17 00:00:00 2001
From: YuQing 
Date: Thu, 29 Dec 2022 18:12:45 +0800
Subject: [PATCH 3/3] Add product for Anolis8

Signed-off-by: YuQing 
---
 ...-0.1.65-supports_anolis_os_8-PR_9770.patch | 2957 +++++++++++++++++
 scap-security-guide.spec                      |    4 +
 2 files changed, 2961 insertions(+)
 create mode 100644 scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch

diff --git a/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch b/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
new file mode 100644
index 0000000..7cd6a2d
--- /dev/null
+++ b/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
@@ -0,0 +1,2957 @@
+From b9a5b670570ad914167f4f5efb85f2f9e3e7479e Mon Sep 17 00:00:00 2001
+From: YuQing 
+Date: Thu, 29 Dec 2022 16:57:11 +0800
+Subject: [PATCH] support anolis8
+
+---
+ CMakeLists.txt                                |   5 +
+ build_product                                 |   1 +
+ .../service_avahi-daemon_disabled/rule.yml    |   2 +-
+ .../base/service_abrtd_disabled/rule.yml      |   2 +-
+ .../base/service_qpidd_disabled/rule.yml      |   2 +-
+ .../base/service_rdisc_disabled/rule.yml      |   2 +-
+ .../file_groupowner_cron_d/rule.yml           |   2 +-
+ .../file_groupowner_cron_daily/rule.yml       |   2 +-
+ .../file_groupowner_cron_hourly/rule.yml      |   2 +-
+ .../file_groupowner_cron_monthly/rule.yml     |   2 +-
+ .../file_groupowner_cron_weekly/rule.yml      |   2 +-
+ .../file_groupowner_crontab/rule.yml          |   2 +-
+ .../cron_and_at/file_owner_cron_d/rule.yml    |   2 +-
+ .../file_owner_cron_daily/rule.yml            |   2 +-
+ .../file_owner_cron_hourly/rule.yml           |   2 +-
+ .../file_owner_cron_monthly/rule.yml          |   2 +-
+ .../file_owner_cron_weekly/rule.yml           |   2 +-
+ .../cron_and_at/file_owner_crontab/rule.yml   |   2 +-
+ .../file_permissions_cron_d/rule.yml          |   2 +-
+ .../file_permissions_cron_daily/rule.yml      |   2 +-
+ .../file_permissions_cron_hourly/rule.yml     |   2 +-
+ .../file_permissions_cron_monthly/rule.yml    |   2 +-
+ .../file_permissions_cron_weekly/rule.yml     |   2 +-
+ .../file_permissions_crontab/rule.yml         |   2 +-
+ .../file_at_deny_not_exist/rule.yml           |   2 +-
+ .../file_cron_deny_not_exist/rule.yml         |   2 +-
+ .../file_groupowner_at_allow/rule.yml         |   2 +-
+ .../file_groupowner_cron_allow/rule.yml       |   2 +-
+ .../file_owner_at_allow/rule.yml              |   2 +-
+ .../file_owner_cron_allow/rule.yml            |   2 +-
+ .../file_permissions_at_allow/rule.yml        |   2 +-
+ .../file_permissions_cron_allow/rule.yml      |   2 +-
+ .../cron_and_at/service_atd_disabled/rule.yml |   2 +-
+ .../service_crond_enabled/rule.yml            |   2 +-
+ .../service_dhcpd_disabled/rule.yml           |   2 +-
+ .../package_bind_removed/rule.yml             |   2 +-
+ .../service_named_disabled/rule.yml           |   2 +-
+ .../service_vsftpd_disabled/rule.yml          |   2 +-
+ .../service_httpd_disabled/rule.yml           |   2 +-
+ .../service_dovecot_disabled/rule.yml         |   2 +-
+ .../service_slapd_disabled/rule.yml           |   2 +-
+ .../service_rpcbind_disabled/rule.yml         |   2 +-
+ .../service_nfs_disabled/rule.yml             |   2 +-
+ .../nis/service_ypserv_disabled/rule.yml      |   2 +-
+ .../obsolete/service_rsyncd_disabled/rule.yml |   2 +-
+ .../printing/service_cups_disabled/rule.yml   |   2 +-
+ .../service_squid_disabled/rule.yml           |   2 +-
+ .../service_smb_disabled/rule.yml             |   2 +-
+ .../service_snmpd_disabled/rule.yml           |   2 +-
+ .../ssh/file_groupowner_sshd_config/rule.yml  |   2 +-
+ .../ssh/file_owner_sshd_config/rule.yml       |   2 +-
+ .../ssh/file_permissions_sshd_config/rule.yml |   2 +-
+ .../banner_etc_issue/rule.yml                 |   2 +-
+ .../accounts-banners/banner_etc_motd/rule.yml |   2 +-
+ .../file_groupowner_etc_issue/rule.yml        |   2 +-
+ .../file_groupowner_etc_motd/rule.yml         |   2 +-
+ .../file_owner_etc_issue/rule.yml             |   2 +-
+ .../file_owner_etc_motd/rule.yml              |   2 +-
+ .../file_permissions_etc_issue/rule.yml       |   2 +-
+ .../file_permissions_etc_motd/rule.yml        |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../accounts_password_pam_minclass/rule.yml   |   2 +-
+ .../accounts_password_pam_minlen/rule.yml     |   2 +-
+ .../accounts_password_pam_retry/rule.yml      |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../require_emergency_target_auth/rule.yml    |   2 +-
+ .../require_singleuser_auth/rule.yml          |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../account_unique_id/rule.yml                |   2 +-
+ .../group_unique_id/rule.yml                  |   2 +-
+ .../group_unique_name/rule.yml                |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../no_shelllogin_for_systemaccounts/rule.yml |   2 +-
+ .../root_logins/use_pam_wheel_for_su/rule.yml |   2 +-
+ .../accounts-session/accounts_tmout/rule.yml  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../file_ownership_home_directories/rule.yml  |   2 +-
+ .../accounts_umask_etc_bashrc/rule.yml        |   2 +-
+ .../audit_rules_file_deletion_events/rule.yml |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../file_groupowner_grub2_cfg/rule.yml        |   2 +-
+ .../non-uefi/file_owner_grub2_cfg/rule.yml    |   2 +-
+ .../file_permissions_grub2_cfg/rule.yml       |   2 +-
+ .../non-uefi/grub2_password/rule.yml          |   2 +-
+ .../file_groupowner_efi_grub2_cfg/rule.yml    |   2 +-
+ .../uefi/file_owner_efi_grub2_cfg/rule.yml    |   2 +-
+ .../file_permissions_efi_grub2_cfg/rule.yml   |   2 +-
+ .../uefi/grub2_uefi_password/rule.yml         |   2 +-
+ .../journald/journald_compress/rule.yml       |   2 +-
+ .../journald_forward_to_syslog/rule.yml       |   2 +-
+ .../journald/journald_storage/rule.yml        |   2 +-
+ .../package_firewalld_installed/rule.yml      |   2 +-
+ .../service_firewalld_enabled/rule.yml        |   2 +-
+ .../package_libreswan_installed/rule.yml      |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../sysctl_net_ipv4_tcp_syncookies/rule.yml   |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../sysctl_net_ipv4_ip_forward/rule.yml       |   2 +-
+ .../kernel_module_dccp_disabled/rule.yml      |   2 +-
+ .../kernel_module_sctp_disabled/rule.yml      |   2 +-
+ .../wireless_disable_interfaces/rule.yml      |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../file_permissions_ungroupowned/rule.yml    |   2 +-
+ .../mounting/service_autofs_disabled/rule.yml |   2 +-
+ .../disable_users_coredumps/rule.yml          |   2 +-
+ .../configure_bind_crypto_policy/rule.yml     |   2 +-
+ .../crypto/configure_crypto_policy/rule.yml   |   2 +-
+ .../configure_kerberos_crypto_policy/rule.yml |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../configure_openssl_crypto_policy/rule.yml  |   2 +-
+ .../configure_ssh_crypto_policy/rule.yml      |   2 +-
+ .../aide/aide_periodic_cron_checking/rule.yml |   2 +-
+ .../aide/package_aide_installed/rule.yml      |   2 +-
+ .../rpm_verify_hashes/rule.yml                |   2 +-
+ .../rpm_verify_permissions/rule.yml           |   2 +-
+ .../rule.yml                                  |   2 +-
+ .../ensure_redhat_gpgkey_installed/rule.yml   |   2 +-
+ .../security_patches_up_to_date/rule.yml      |   2 +-
+ products/anolis8/CMakeLists.txt               |   6 +
+ products/anolis8/overlays/.gitkeep            |   0
+ products/anolis8/product.yml                  |  23 +
+ products/anolis8/profiles/standard.profile    | 728 ++++++++++++++++++
+ products/anolis8/transforms/constants.xslt    |  10 +
+ products/anolis8/transforms/table-style.xslt  |   5 +
+ .../transforms/xccdf-apply-overlay-stig.xslt  |   8 +
+ .../anolis8/transforms/xccdf2table-cce.xslt   |   9 +
+ .../xccdf2table-profileccirefs.xslt           |   9 +
+ .../checks/oval/installed_OS_is_anolis8.xml   |  28 +
+ .../oval/sysctl_kernel_ipv6_disable.xml       |   1 +
+ ssg/constants.py                              |   6 +-
+ tests/unit/ssg-module/test_utils.py           |   2 +-
+ 163 files changed, 987 insertions(+), 150 deletions(-)
+ create mode 100644 products/anolis8/CMakeLists.txt
+ create mode 100644 products/anolis8/overlays/.gitkeep
+ create mode 100644 products/anolis8/product.yml
+ create mode 100644 products/anolis8/profiles/standard.profile
+ create mode 100644 products/anolis8/transforms/constants.xslt
+ create mode 100644 products/anolis8/transforms/table-style.xslt
+ create mode 100644 products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
+ create mode 100644 products/anolis8/transforms/xccdf2table-cce.xslt
+ create mode 100644 products/anolis8/transforms/xccdf2table-profileccirefs.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_anolis8.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index e7a1ee7f1b..b25c043536 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -69,6 +69,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui
+ # unless explicitly asked for.
+ option(SSG_PRODUCT_ALINUX2 "If enabled, the Alinux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alinux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+@@ -274,6 +275,7 @@ message(STATUS " ")
+ message(STATUS "Products:")
+ message(STATUS "Alinux 2: ${SSG_PRODUCT_ALINUX2}")
+ message(STATUS "Alinux 3: ${SSG_PRODUCT_ALINUX3}")
++message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
+ message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
+ message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
+ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
+@@ -345,6 +347,9 @@ endif()
+ if (SSG_PRODUCT_ALINUX3)
+     add_subdirectory("products/alinux3" "alinux3")
+ endif()
++if (SSG_PRODUCT_ANOLIS8)
++    add_subdirectory("products/anolis8" "anolis8")
++endif()
+ if (SSG_PRODUCT_CHROMIUM)
+     add_subdirectory("products/chromium" "chromium")
+ endif()
+diff --git a/build_product b/build_product
+index 24ca39b408..011d23afc4 100755
+--- a/build_product
++++ b/build_product
+@@ -299,6 +299,7 @@ set_explict_build_targets() {
+ all_cmake_products=(
+ 	ALINUX2
+ 	ALINUX3
++	ANOLIS8
+ 	CHROMIUM
+ 	DEBIAN9
+ 	DEBIAN10
+diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+index a8c094ecb2..0ff67a5f08 100644
+--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Avahi Server Software'
+ 
+diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
+index 6abe7b263b..38557afea1 100644
+--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
++++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,uos20
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,uos20
+ 
+ title: 'Disable Automatic Bug Reporting Tool (abrtd)'
+ 
+diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
+index e33eba2efa..c71ce1b230 100644
+--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
++++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
+@@ -1,7 +1,7 @@
+ documentation_complete: true
+ 
+ # package is unlikely to appear on a RHEL9 system, don't extend to RHEL10
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
+ 
+ title: 'Disable Apache Qpid (qpidd)'
+ 
+diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
+index 75e2ada151..7ca16e3864 100644
+--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
++++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
+ 
+ title: 'Disable Network Router Discovery Daemon (rdisc)'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+index 908087499e..9916a189e6 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns cron.d'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+index 821cd13890..100b65a4fd 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns cron.daily'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+index ab2a16f811..f82f02dd85 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns cron.hourly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+index 0716370105..c0e0d5c9a6 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,rhel7,anolis8,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns cron.monthly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+index 32c5f6f8f8..f8f0ec7b2a 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns cron.weekly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+index 2865d54d83..49eab068de 100644
+--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns Crontab'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+index 68ad645a56..46dcd7834d 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on cron.d'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+index 371fc9d396..8276930669 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on cron.daily'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+index f24897bdad..2d440fb041 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on cron.hourly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+index 187eec8edb..3f67f4460f 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on cron.monthly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+index f1d67d9bd9..815e388dd0 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on cron.weekly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+index da2c8fad6d..17f6ad6104 100644
+--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on crontab'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+index a9130cefd5..8739f52446 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on cron.d'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+index 514ec15e05..787c56cd04 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on cron.daily'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+index 1a7934b24a..969c1d5e3a 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on cron.hourly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+index b05c8eab1b..3b3b0eb0ee 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on cron.monthly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+index d5d4e8db18..112e429da4 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on cron.weekly'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+index ffa87a2702..044c6c4ac9 100644
+--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
++++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on crontab'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
+index 31a2180bcb..677d75d666 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9
++prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9
+ 
+ title: 'Ensure that /etc/at.deny does not exist'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
+index 9fb0d5b39d..8c79dfde16 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Ensure that /etc/cron.deny does not exist'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
+index ae516b961a..d78a713258 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns /etc/at.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
+index 8879c0fa2b..58df895763 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns /etc/cron.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
+index c8d7092226..f9b421a587 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify User Who Owns /etc/at.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
+index 9e6670911d..cc75d54f87 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify User Who Owns /etc/cron.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+index 279d36347e..776c0db6cf 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on /etc/at.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+index adb16ec6b8..ef366a7927 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on /etc/cron.allow file'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
+index de88deaa2a..91f458db00 100644
+--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
++++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20
+ 
+ title: 'Disable At Service (atd)'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+index dbb7c7a06b..ace9ba592f 100644
+--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Enable cron Service'
+ 
+diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+index 0eb3829b17..fb9629af78 100644
+--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable DHCP Service'
+ 
+diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
+index bc2e7411cf..d0a4064ce3 100644
+--- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
++++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20
++prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20
+ 
+ title: 'Uninstall bind Package'
+ 
+diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+index 2acaf85bec..e0cf2d773e 100644
+--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable named Service'
+ 
+diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
+index 1b723ce761..dc2813b11d 100644
+--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
++++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable vsftpd Service'
+ 
+diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
+index ade2d740c2..27cbd7418f 100644
+--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
++++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable httpd Service'
+ 
+diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
+index 920de88bd0..ef3e17c687 100644
+--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
++++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable Dovecot Service'
+ 
+diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
+index 9780397e50..8501b6286f 100644
+--- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
++++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel8,rhel9
++prodtype: alinux2,alinux3,anolis8,rhel8,rhel9
+ 
+ title: 'Disable LDAP Server (slapd)'
+ 
+diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+index 222dafa3ef..13a1224483 100644
+--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
+ 
+ title: 'Disable rpcbind Service'
+ 
+diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
+index ed3d8881db..42cc6befde 100644
+--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9
++prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9
+ 
+ title: 'Disable Network File System (nfs)'
+ 
+diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
+index 99e527ef10..4f414d3af1 100644
+--- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
++++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel8,rhel9
++prodtype: alinux2,alinux3,anolis8,rhel8,rhel9
+ 
+ title: 'Disable ypserv Service'
+ 
+diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+index e3e56f5ea1..cac6fe082b 100644
+--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Ensure rsyncd service is diabled'
+ 
+diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
+index bf9ddbb5f3..dfd5918cf2 100644
+--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml
++++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004
++prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004
+ 
+ title: 'Disable the CUPS Service'
+ 
+diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
+index 3e3f0f4f26..23d21f512a 100644
+--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
++++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable Squid'
+ 
+diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+index ee7b76b185..4aaeec5dc1 100644
+--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable Samba'
+ 
+diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+index 0bd8a0129b..fec9e270f3 100644
+--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
++++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Disable snmpd Service'
+ 
+diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+index feed2148e2..ae9297fb43 100644
+--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
++++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Who Owns SSH Server config file'
+ 
+diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+index f04aa5563c..6b34f4e3de 100644
+--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
++++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Owner on SSH Server config file'
+ 
+diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
+index ddad4da469..895528c371 100644
+--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
++++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Permissions on SSH Server config file'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+index bbb16cd644..ab5eff0320 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Modify the System Login Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
+index cdc981fc3d..3d318ef46b 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Modify the System Message of the Day Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
+index 66a7f83077..f0fd86e8e3 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Ownership of System Login Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
+index 4be94f2b2c..ebcb659853 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify Group Ownership of Message of the Day Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
+index a3d6b97b56..0b6012d2a9 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify ownership of System Login Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
+index d42b843421..5701faa68d 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify ownership of Message of the Day Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
+index 2b9349f75b..111143de2e 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify permissions on System Login Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
+index f5d9279b90..8043b9c07e 100644
+--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify permissions on Message of the Day Banner'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+index 73f2afff87..b4972e25e6 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+ 
+ title: 'Limit Password Reuse: password-auth'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
+index fd85b25e98..2bb70d9762 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+ 
+ title: 'Limit Password Reuse: system-auth'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+index 37bd49f696..31327aa03f 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+index 3dc5600b26..267c81b5ae 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+index 4d1b5ebe4a..733777d0ce 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
++prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+index b35b01c467..4aaf3ff64f 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: "Set PAM''s Password Hashing Algorithm"
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+index 1a247ecfb9..a8445adbf7 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Require Authentication for Emergency Systemd Target'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index 932d76c36d..318e9c862d 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Require Authentication for Single User Mode'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+index 0cb369e82f..01767ce542 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set Account Expiration Following Inactivity'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+index de96fd58c4..3469cbf01c 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
+ 
+ title: 'Ensure All Accounts on the System Have Unique User IDs'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+index 42a5c3a7b3..4a660ab92e 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15
+ 
+ title: 'Ensure All Groups on the System Have Unique Group ID'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+index 756b2ae5bf..33554937a0 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,rhel7,rhel8,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle15
+ 
+ title: 'Ensure All Groups on the System Have Unique Group Names'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
+index 9384d5a981..ccb42a9749 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set Existing Passwords Maximum Age'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
+index 8e4beddc05..378e2f4c49 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set Existing Passwords Minimum Age'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
+index af6e93ebf7..bc6e82e93d 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Ensure that System Accounts Do Not Run a Shell Upon Login'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+index 9213cc472d..f9a2464f92 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004
+ 
+ title: 'Enforce usage of pam_wheel for su authentication'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+index 978ddff0ca..f4e0dee229 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set Interactive Session Timeout'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+index 2bd171f3fd..ee8ce9a668 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+index 4ed84ef0a8..827bb124f4 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+ 
+ title: 'All Interactive User Home Directories Must Be Owned By The Primary User'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+index a1e472043f..fd8fcebe81 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Ensure the Default Bash Umask is Set Correctly'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
+index 14e3d2e07b..406b78f8c9 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
+ 
+ title: 'Ensure auditd Collects File Deletion Events by User'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
+index ab60d66375..63028b39ec 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+index 3e28446e61..2e2b31ec06 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - creat'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+index 32ef125722..7f22f2cee8 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+index 1587662730..3e0220853d 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - open'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+index 3738f202fc..e44c876b23 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+index 61f278a9f2..c8552433d3 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - openat'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+index 0a1e39df2e..4e245ab020 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Record Unsuccessful Access Attempts to Files - truncate'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
+index ac639d5b31..247e9a1aa5 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+index 56463078fc..aaaf635cd0 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+index c3e5d7a702..46065fc27a 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module'
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+index 334165f75e..4d4e1338c4 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
+index ca391cc112..099414f33f 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+index 40a8b787af..fab8602f08 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
+index e4a08f5876..c1c793e73b 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Permissions'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+index 28adf2303e..9472bbe292 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set Boot Loader Password in grub2'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+index a7fb015139..4b12d06e13 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8
+ 
+ title: 'Verify the UEFI Boot Loader grub.cfg Group Ownership'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+index f8f91f2a49..f577dc1d5a 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8
+ 
+ title: 'Verify the UEFI Boot Loader grub.cfg User Ownership'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+index 348a0fe243..9b1ea037e6 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9
+ 
+ 
+ title: 'Verify the UEFI Boot Loader grub.cfg Permissions'
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+index ecfee6ada4..35d0c8ca45 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Set the UEFI Boot Loader Password'
+ 
+diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
+index 39d727ba86..5e192bbabf 100644
+--- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml
++++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: Ensure journald is configured to compress large log files
+ 
+diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
+index ca35dd9370..8bac5b49e8 100644
+--- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
++++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhel7,rhel8,rhel9
++prodtype: alinux3,anolis8,rhel7,rhel8,rhel9
+ 
+ title: Ensure journald is configured to send logs to rsyslog
+ 
+diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
+index 8176701520..3a5c5e460b 100644
+--- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml
++++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhel7,rhel8,rhel9,sle15
++prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15
+ 
+ title: Ensure journald is configured to write log files to persistent disk
+ 
+diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+index 10750e14ae..bd7a2fbb09 100644
+--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
++prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
+ 
+ title: 'Install firewalld Package'
+ 
+diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+index 5b43737544..e3d443f584 100644
+--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Verify firewalld Enabled'
+ 
+diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
+index 6f110d679b..705c47a4d8 100644
+--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
++++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Install libreswan Package'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
+index 6118cd929d..bd47636f77 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+index 777bd7c7a1..7a4411d128 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+index ce64d6e653..be86a4e56e 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
+index b4c1f42b68..eaa6b55d20 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for IPv6 Forwarding'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
+index d45ca63c8d..158f1b9773 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Accepting Router Advertisements on all IPv6 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+index a42ca1890b..6723e8ab3b 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
+index 49d059ccf5..c2f7d5ef7f 100644
+--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+index 9a2c88cde5..29fb46c2f8 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+index e4e87ff110..3e9d8eef15 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
+index aeecbae5fb..1ebf98a487 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+index 4d31c6c3eb..5a00b590b5 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
+index abe92e65a5..5dce2c1517 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
+index 47abcc223b..6e0281ea25 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+index 043f16e26e..1882f1a3eb 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
+index 38602c00b1..6d4a4225c9 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
+index 09ff60235f..2d5b22ec63 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
+index f21dfa912a..bea8153427 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
+index d45ebce67f..983ea889e8 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
+index 4f552dfce9..b841e4e302 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
+index e87793d5f6..0292844c8a 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
+index e44509ea33..96fe691e3e 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+index b3534eb737..9a1049f59a 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
+ 
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+index 7acfc0b05b..bebb4df43e 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
+ 
+diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+index 2087834007..2820608fce 100644
+--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable DCCP Support'
+ 
+diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
+index f8b020fc5a..2a95c3a1df 100644
+--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable SCTP Support'
+ 
+diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+index b3e20e7b0d..31ed5d33c0 100644
+--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Deactivate Wireless Network Interfaces'
+ 
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+index f23bcd31d8..bc87146694 100644
+--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+@@ -2,7 +2,7 @@ documentation_complete: true
+ 
+ title: 'Ensure All SGID Executables Are Authorized'
+ 
+-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
+ 
+ description: |-
+     The SGID (set group id) bit should be set only on files that were
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+index 73d98ee1fc..f6c7ef7e4e 100644
+--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+@@ -2,7 +2,7 @@ documentation_complete: true
+ 
+ title: 'Ensure All SUID Executables Are Authorized'
+ 
+-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
+ 
+ description: |-
+     The SUID (set user id) bit should be set only on files that were
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+index 123f967db0..18c6b37409 100644
+--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Ensure All Files Are Owned by a Group'
+ 
+diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
+index c774309fca..0cca02ba0b 100644
+--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20
+ 
+ title: 'Disable the Automounter'
+ 
+diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+index c2c0f05d40..989ad0629f 100644
+--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: 'Disable Core Dumps for All Users'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+index 870150aadf..03e830776f 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
+ 
+ title: 'Configure BIND to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+index de186e7684..92769e5110 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Configure System Cryptography Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
+index 68f748ebf5..3a2df056e7 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20
+ 
+ title: 'Configure Kerberos to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+index e769599ae5..09745c9e50 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Configure Libreswan to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+index 49b35d058d..db7866bdd8 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Configure OpenSSL library to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+index ab9408af96..573983212d 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Configure SSH to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
+index 3b70a5979c..d5abd91d1c 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
+@@ -4,7 +4,7 @@
+ 
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Configure Periodic Execution of AIDE'
+ 
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+index 287ac5575e..66720c2c09 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
++prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
+ 
+ title: 'Install AIDE'
+ 
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
+index d3d3224739..94a08024d2 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Verify File Hashes with RPM'
+ 
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+index c51b054612..2c9d3e65d4 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20
+ 
+ title: 'Verify and Correct File Permissions with RPM'
+ 
+diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+index 17fe909be2..22c1776a19 100644
+--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
+ 
+ title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
+ 
+diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
+index 58ae682542..42d87f4c66 100644
+--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20
++prodtype: alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20
+ 
+ title: 'Ensure Red Hat GPG Key Installed'
+ 
+diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
+index 607846e10f..ac623b8b78 100644
+--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
++++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20
+ 
+ title: 'Ensure Software Patches Installed'
+ 
+diff --git a/products/anolis8/CMakeLists.txt b/products/anolis8/CMakeLists.txt
+new file mode 100644
+index 0000000000..5e1cfa01ad
+--- /dev/null
++++ b/products/anolis8/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd anolis8; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++ssg_build_product("anolis8")
+diff --git a/products/anolis8/overlays/.gitkeep b/products/anolis8/overlays/.gitkeep
+new file mode 100644
+index 0000000000..e69de29bb2
+diff --git a/products/anolis8/product.yml b/products/anolis8/product.yml
+new file mode 100644
+index 0000000000..b81bb76575
+--- /dev/null
++++ b/products/anolis8/product.yml
+@@ -0,0 +1,23 @@
++product: anolis8
++full_name: Anolis OS 8
++type: platform
++
++benchmark_id: ANOLIS-8
++benchmark_root: "../../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "yum"
++
++init_system: "systemd"
++
++cpes_root: "../../shared/applicability"
++cpes:
++  - anolis8:
++      name: "cpe:/o:anolis:anolis_os:8"
++      title: "Anolis OS 8"
++      check_id: installed_OS_is_anolis8
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile
+new file mode 100644
+index 0000000000..a9f86ca49b
+--- /dev/null
++++ b/products/anolis8/profiles/standard.profile
+@@ -0,0 +1,728 @@
++documentation_complete: true
++
++title: 'Standard System Security Profile for Anolis OS 8'
++
++description: |-
++    This profile contains rules to ensure standard security baseline
++    of a Anolis OS 8 system.
++
++selections:
++    # 1 access-and-control
++    ## 1.1-ensure-cron-daemon-is-enabled
++    ### Level 1
++    - service_crond_enabled
++
++    ## 1.2-ensure-permissions-on-etc-crontab-are-configured
++    ### Level 1
++    - file_groupowner_crontab
++    - file_owner_crontab
++    - file_permissions_crontab
++
++    ## 1.3-ensure-permissions-on-etc-cron.hourly-are-configured
++    ### Level 1
++    - file_groupowner_cron_hourly
++    - file_owner_cron_hourly
++    - file_permissions_cron_hourly
++
++    ## 1.4-ensure-permissions-on-etc-cron.daily-are-configured
++    ### Level 1
++    - file_groupowner_cron_daily
++    - file_owner_cron_daily
++    - file_permissions_cron_daily
++
++    ## 1.5-ensure-permissions-on-etc-cron.weekly-are-configured
++    ### Level 1
++    - file_groupowner_cron_weekly
++    - file_owner_cron_weekly
++    - file_permissions_cron_weekly
++
++    ## 1.6-ensure-permissions-on-etc-cron.monthly-are-configured
++    ### Level 1
++    - file_groupowner_cron_monthly
++    - file_owner_cron_monthly
++    - file_permissions_cron_monthly
++
++    ## 1.7-ensure-permissions-on-etc-cron.d-are-configured
++    ### Level 1
++    - file_groupowner_cron_d
++    - file_owner_cron_d
++    - file_permissions_cron_d
++
++    ## 1.8-ensure-at-cron-is-restricted-to-authorized-users
++    ### Level 1
++    - file_groupowner_cron_allow
++    - file_owner_cron_allow
++    - file_cron_deny_not_exist
++    - file_groupowner_at_allow
++    - file_owner_at_allow
++    - file_at_deny_not_exist
++    - file_permissions_at_allow
++    - file_permissions_cron_allow
++
++    ## 1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured
++    ### Level 1
++    - file_groupowner_sshd_config
++    - file_owner_sshd_config
++    - file_permissions_sshd_config
++
++    ## 1.10-ensure-ssh-access-is-limited
++    ### Level 2
++    # Needs rule
++
++    ## 1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured
++    ### Level 1
++    - file_permissions_sshd_private_key
++
++    ## 1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured
++    ### Level 1
++    - file_permissions_sshd_pub_key
++
++    ## 1.13-ensure-ssh-loglevel-is-appropriate
++    ### Level 1
++    - sshd_set_loglevel_verbose
++    # or
++    - sshd_set_loglevel_info
++
++    ## 1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less
++    ### Level 1
++    - sshd_max_auth_tries_value=4
++    - sshd_set_max_auth_tries
++
++    ## 1.15-ensure-ssh-ignorerhosts-is-enabled
++    ### Level 1
++    - sshd_disable_rhosts
++
++    ## 1.16-ensure-ssh-hostbasedauthentication-is-disabled
++    ### Level 1
++    - disable_host_auth
++
++    ## 1.17-ensure-ssh-root-login-is-disabled
++    ### Level 1
++    - sshd_disable_root_login
++
++    ## 1.18-ensure-ssh-permitemptypasswords-is-disabled
++    ### Level 1
++    - sshd_disable_empty_passwords
++
++    ## 1.19-ensure-ssh-permituserenvironment-is-disabled
++    ### Level 1
++    - sshd_do_not_permit_user_env
++
++    ## 1.20-ensure-ssh-idle-timeout-interval-is-configured
++    ### Level 1
++    - sshd_idle_timeout_value=15_minutes
++    - sshd_set_idle_timeout
++    - sshd_set_keepalive
++    - var_sshd_set_keepalive=0
++
++    ## 1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less
++    ### Level 1
++    - sshd_set_login_grace_time
++    - var_sshd_set_login_grace_time=60
++
++    ## 1.22-ensure-ssh-warning-banner-is-configured
++    ### Level 1
++    - sshd_enable_warning_banner
++
++    ## 1.23-ensure-ssh-pam-is-enabled
++    ### Level 1
++    - sshd_enable_pam
++
++    ## 1.24-ensure-ssh-maxstartups-is-configured
++    ### Level 1
++    - sshd_set_maxstartups
++    - var_sshd_set_maxstartups=10:30:60
++
++    ## 1.25-ensure-ssh-maxsessions-is-set-to-10-or-less
++    ### Level 1
++    - sshd_set_max_sessions
++    - var_sshd_max_sessions=10
++
++    ## 1.26-ensure-system-wide-crypto-policy-is-not-over-ridden
++    ### Level 1
++    # Needs rule
++
++    ## 1.27-ensure-password-creation-requirements-are-configured
++    ### Level 1
++    - accounts_password_pam_minclass
++    - accounts_password_pam_minlen
++    - accounts_password_pam_retry
++    - var_password_pam_minclass=4
++    - var_password_pam_minlen=14
++
++    ## 1.28-ensure-lockout-for-failed-password-attempts-is-configured
++    ### Level 1
++    - locking_out_password_attempts
++
++    ## 1.29-ensure-password-reuse-is-limited
++    ### Level 1
++    - accounts_password_pam_pwhistory_remember_password_auth
++    - accounts_password_pam_pwhistory_remember_system_auth
++    - var_password_pam_remember_control_flag=required
++    - var_password_pam_remember=5
++
++    ## 1.30-ensure-password-hashing-algorithm-is-sha-512
++    ### Level 1
++    - set_password_hashing_algorithm_systemauth
++
++    ## 1.31-ensure-password-expiration-is-365-days-or-less
++    ### Level 1
++    - accounts_maximum_age_login_defs
++    - var_accounts_maximum_age_login_defs=365
++    - accounts_password_set_max_life_existing
++
++    ## 1.32-ensure-minimum-days-between-password-changes-is-7-or-more
++    ### Level 1
++    - accounts_minimum_age_login_defs
++    - var_accounts_minimum_age_login_defs=7
++    - accounts_password_set_min_life_existing
++
++    ## 1.33-ensure-password-expiration-warning-days-is-7-or-more
++    ### Level 1
++    - accounts_password_warn_age_login_defs
++    - var_accounts_password_warn_age_login_defs=7
++
++    ## 1.34-ensure-inactive-password-lock-is-30-days-or-less
++    ### Level 1
++    - account_disable_post_pw_expiration
++    - var_account_disable_post_pw_expiration=30
++
++    ## 1.35-ensure-all-users-last-password-change-date-is-in-the-past
++    ### Level 2
++    # Needs rule
++
++    ## 1.36-ensure-system-accounts-are-secured
++    ### Level 1
++    - no_shelllogin_for_systemaccounts
++
++    ## 1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less
++    ### Level 1
++    - accounts_tmout
++    - var_accounts_tmout=15_min
++
++    ## 1.38-ensure-default-group-for-the-root-account-is-gid-0
++    ### Level 1
++    - accounts_root_gid_zero
++
++    ## 1.39-ensure-default-user-umask-is-027-or-more-restrictive
++    ### Level 1
++    - accounts_umask_etc_bashrc
++    - accounts_umask_etc_login_defs
++    - accounts_umask_etc_profile
++    - var_accounts_user_umask=027
++
++    ## 1.40-ensure-access-to-the-su-command-is-restricted
++    ### Level 1
++    - use_pam_wheel_for_su
++
++    ## 1.41-ensure-ssh-server-use-protocol_2
++    ### Level 1
++    - sshd_allow_only_protocol2
++
++    ## 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users
++    ### Level 1
++    # Needs rule
++
++    ## 2.2-ensure-only-authorized-users-own-audit-log-files
++    ### Level 1
++    # Needs rule
++
++    ## 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files
++    ### Level 1
++    # Needs rule
++
++    ## 2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive
++    ### Level 1
++    # Needs rule
++
++    ## 2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive
++    ### Level 1
++    # Needs rule
++
++    ## 2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files
++    ### Level 1
++    # Needs rule
++
++    ## 2.7-ensure-only-authorized-groups-own-the-audit-configuration-files
++    ### Level 1
++    # Needs rule
++
++    ## 2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive
++    ### Level 1
++    # Needs rule
++
++    ## 2.9-ensure-audit-tools-are-owned-by-root
++    ### Level 1
++    # Needs rule
++
++    ## 2.10-ensure-audit-tools-are-group-owned-by-root
++    ### Level 1
++    # Needs rule
++
++    ## 2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools
++    ### Level 1
++    # Needs rule
++
++    ## 2.12-ensure-rsyslog-is-installed
++    ### Level 1
++    - package_rsyslog_installed
++
++    ## 2.13-ensure-rsyslog-service-is-enabled
++    ### Level 1
++    - service_rsyslog_enabled
++
++    ## 2.14-ensure-rsyslog-default-file-permissions-configured
++    ### Level 1
++    # Needs rule
++
++    ## 2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host
++    ### Level 2
++    - rsyslog_remote_loghost
++
++    ## 2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog
++    ### Level 1
++    - journald_forward_to_syslog
++
++    ## 2.17-ensure-journald-is-configured-to-compress-large-log-files
++    ### Level 1
++    - journald_compress
++
++    ## 2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk
++    ### Level 1
++    - journald_storage
++
++    ## 2.19-ensure-audit-is-installed
++    ### Level 1
++    - package_audit_installed
++
++    ## 2.20-ensure-audit-service-is-enabled
++    ### Level 3
++    - service_auditd_enabled
++
++    ## 3.1-disable-http-server
++    ### Level 1
++    - service_httpd_disabled
++
++    ## 3.2-disable-ftp-server
++    ### Level 1
++    - service_vsftpd_disabled
++
++    ## 3.3-disable-dns-server
++    ### Level 1
++    - service_named_disabled
++
++    ## 3.4-disable-nfs
++    ### Level 1
++    - service_nfs_disabled
++
++    ## 3.5-disable-rpc
++    ### Level 1
++    - service_rpcbind_disabled
++
++    ## 3.6-disable-ldap-server
++    ### Level 1
++    - service_slapd_disabled
++
++    ## 3.7-disable-dhcp-server
++    ### Level 1
++    - service_dhcpd_disabled
++
++    ## 3.8-disable-cups
++    ### Level 1
++    - service_cups_disabled
++
++    ## 3.9-disable-nis-server
++    ### Level 1
++    - service_ypserv_disabled
++
++    ## 3.10-disable-rsync-server
++    ### Level 1
++    - service_rsyncd_disabled
++
++    ## 3.11-disable-avahi-server
++    ### Level 1
++    - service_avahi-daemon_disabled
++
++    ## 3.12-disable-snmp-server
++    ### Level 1
++    - service_snmpd_disabled
++
++    ## 3.13-disable-http-proxy-server
++    ### Level 1
++    - service_squid_disabled
++
++    ## 3.14-disable-samba
++    ### Level 1
++    - service_smb_disabled
++
++    ## 3.15-disable-imap-and-pop3-server
++    ### Level 1
++    - service_dovecot_disabled
++
++    ## 3.16-disable-smtp-protocol
++    ### Level 1
++    # Needs rule
++
++    ## 3.17-disable-telnet-port-23
++    ### Level 1
++    # Needs rule
++
++    ## 4.1-ensure-message-of-the-day-is-configured-properly
++    ### Level 1
++    - banner_etc_motd
++    - login_banner_text=cis_banners
++
++    ## 4.2-ensure-local-login-warning-banner-is-configured-properly
++    ### Level 1
++    - banner_etc_issue
++    - login_banner_text=cis_banners
++
++    ## 4.3-ensure-remote-login-warning-banner-is-configured-properly
++    ### Level 1
++    # Needs rule
++
++    ## 4.4-ensure-permissions-on-etc-motd-are-configured
++    ### Level 1
++    - file_groupowner_etc_motd
++    - file_owner_etc_motd
++    - file_permissions_etc_motd
++
++    ## 4.5-ensure-permissions-on-etc-issue-are-configured
++    ### Level 1
++    - file_groupowner_etc_issue
++    - file_owner_etc_issue
++    - file_permissions_etc_issue
++
++    ## 4.6-ensure-permissions-on-etc-issue.net-are-configured
++    ### Level 1
++    # Needs rule
++
++    ## 4.7-ensure-gpgcheck-is-globally-activated
++    ### Level 1
++    - ensure_gpgcheck_globally_activated
++
++    ## 4.8-ensure-aide-is-installed
++    ### Level 1
++    - package_aide_installed
++
++    ## 4.9-ensure-filesystem-integrity-is-regularly-checked
++    ### Level 1
++    - aide_periodic_cron_checking
++
++    ## 4.10-ensure-bootloader-password-is-set
++    ### Level 2
++    - grub2_password
++
++    ## 4.11-ensure-permissions-on-bootloader-config-are-configured
++    ### Level 1
++    #- file_groupowner_efi_grub2_cfg
++    - file_groupowner_grub2_cfg
++    #- file_owner_efi_grub2_cfg
++    - file_owner_grub2_cfg
++    #- file_permissions_efi_grub2_cfg
++    - file_permissions_grub2_cfg
++
++    ## 4.12-ensure-authentication-required-for-single-user-mode
++    ### Level 1
++    - require_singleuser_auth
++    - require_emergency_target_auth
++
++    ## 4.13-ensure-core-dumps-are-restricted
++    ### Level 1
++    - disable_users_coredumps
++    - sysctl_fs_suid_dumpable
++    - coredump_disable_backtraces
++    - coredump_disable_storage
++
++    ## 4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled
++    ### Level 1
++    - sysctl_kernel_randomize_va_space
++
++    ## 4.15-ensure-system-wide-crypto-policy-is-not-legacy
++    ### Level 1
++    - configure_crypto_policy
++    - var_system_crypto_policy=default_policy
++
++    ## 4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories
++    ### Level 1
++    - dir_perms_world_writable_sticky_bits
++
++    ## 4.17-ensure-permissions-on-etc-passwd-are-configured
++    ### Level 1
++    - file_permissions_etc_passwd
++
++    ## 4.18-ensure-permissions-on-etc-shadow-are-configured
++    ### Level 1
++    - file_owner_etc_shadow
++    - file_groupowner_etc_shadow
++    - file_permissions_etc_shadow
++
++    ## 4.19-ensure-permissions-on-etc-group-are-configured
++    ### Level 1
++    - file_groupowner_etc_group
++    - file_owner_etc_group
++    - file_permissions_etc_group
++
++    ## 4.20-ensure-permissions-on-etc-gshadow-are-configured
++    ### Level 1
++    - file_groupowner_etc_gshadow
++    - file_owner_etc_gshadow
++    - file_permissions_etc_gshadow
++
++    ## 4.21-ensure-permissions-on-etc-passwd--are-configured
++    ### Level 1
++    - file_groupowner_backup_etc_passwd
++    - file_owner_backup_etc_passwd
++    - file_permissions_backup_etc_passwd
++
++    ## 4.22-ensure-permissions-on-etc-shadow--are-configured
++    ### Level 1
++    - file_groupowner_backup_etc_shadow
++    - file_owner_backup_etc_shadow
++    - file_permissions_backup_etc_shadow
++
++    ## 4.23-ensure-permissions-on-etc-group--are-configured
++    ### Level 1
++    - file_groupowner_backup_etc_group
++    - file_owner_backup_etc_group
++    - file_permissions_backup_etc_group
++
++    ## 4.24-ensure-permissions-on-etc-gshadow--are-configured
++    ### Level 1
++    - file_groupowner_backup_etc_gshadow
++    - file_owner_backup_etc_gshadow
++    - file_permissions_backup_etc_gshadow
++
++    ## 4.25-ensure-no-world-writable-files-exist
++    ### Level 2
++    - file_permissions_unauthorized_world_writable
++
++    ## 4.26-ensure-no-unowned-files-or-directories-exist
++    ### Level 2
++    # Needs rule
++
++    ## 4.27-ensure-no-ungrouped-files-or-directories-exist
++    ### Level 2
++    - file_permissions_ungroupowned
++
++    ## 4.28-ensure-no-password-fields-are-not-empty
++    ### Level 2
++    # Needs rule
++
++    ## 4.29-ensure-root-path-integrity
++    ### Level 2
++    - accounts_root_path_dirs_no_write
++    - root_path_no_dot
++
++    ## 4.30-ensure-root-is-the-only-uid-0-account
++    ### Level 2
++    - accounts_no_uid_except_zero
++
++    ## 4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive
++    ### Level 1
++    # Needs rule
++
++    ## 4.32-ensure-users-own-their-home-directories
++    ### Level 1
++    - file_ownership_home_directories
++    - file_groupownership_home_directories
++
++    ## 4.33-ensure-users-dot-files-are-not-group-or-world-writable
++    ### Level 1
++    # Needs rule
++
++    ## 4.34-ensure-no-users-have-.forward-files
++    ### Level 1
++    # Needs rule
++
++    ## 4.35-ensure-no-users-have-.netrc-files
++    ### Level 1
++    - no_netrc_files
++
++    ## 4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible
++    ### Level 1
++    # Needs rule
++
++    ## 4.37-ensure-no-users-have-.rhosts-files
++    ### Level 1
++    - no_rsh_trust_files
++
++    ## 4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group
++    ### Level 2
++    # Needs rule
++
++    ## 4.39-ensure-no-duplicate-uids-exist
++    ### Level 2
++    - account_unique_id
++
++    ## 4.40-ensure-no-duplicate-gids-exist
++    ### Level 2
++    - group_unique_id
++
++    ## 4.41-ensure-no-duplicate-user-names-exist
++    ### Level 2
++    # Needs rule
++
++    ## 4.42-ensure-no-duplicate-group-names-exist
++    ### Level 2
++    - group_unique_name
++
++    ## 4.43-ensure-all-users-home-directories-exist
++    ### Level 1
++    # Needs rule
++
++    ## 4.44-ensure-sctp-is-disabled
++    ### Level 1
++    - kernel_module_sctp_disabled
++
++    ## 4.45-ensure-dccp-is-disabled
++    ### Level 1
++    - kernel_module_dccp_disabled
++
++    ## 4.46-ensure-wireless-interfaces-are-disabled
++    ### Level 1
++    - wireless_disable_interfaces
++
++    ## 4.47-ensure-ip-forwarding-is-disabled
++    ### Level 1
++    - sysctl_net_ipv4_ip_forward
++    - sysctl_net_ipv6_conf_all_forwarding
++    - sysctl_net_ipv6_conf_all_forwarding_value=disabled
++
++    ## 4.48-ensure-packet-redirect-sending-is-disabled
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_send_redirects
++    - sysctl_net_ipv4_conf_default_send_redirects
++
++    ## 4.49-ensure-source-routed-packets-are-not-accepted
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_accept_source_route
++    - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
++    - sysctl_net_ipv4_conf_default_accept_source_route
++    - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
++    - sysctl_net_ipv6_conf_all_accept_source_route
++    - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
++    - sysctl_net_ipv6_conf_default_accept_source_route
++    - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
++
++    ## 4.50-ensure-icmp-redirects-are-not-accepted
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_accept_redirects
++    - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
++    - sysctl_net_ipv4_conf_default_accept_redirects
++    - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
++    - sysctl_net_ipv6_conf_all_accept_redirects
++    - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
++    - sysctl_net_ipv6_conf_default_accept_redirects
++    - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
++
++    ## 4.51-ensure-secure-icmp-redirects-are-not-accepted
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_secure_redirects
++    - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
++    - sysctl_net_ipv4_conf_default_secure_redirects
++    - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
++
++    ## 4.52-ensure-suspicious-packets-are-logged
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_log_martians
++    - sysctl_net_ipv4_conf_all_log_martians_value=enabled
++    - sysctl_net_ipv4_conf_default_log_martians
++    - sysctl_net_ipv4_conf_default_log_martians_value=enabled
++
++    ## 4.53-ensure-broadcast-icmp-requests-are-ignored
++    ### Level 1
++    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
++    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
++
++    ## 4.54-ensure-bogus-icmp-responses-are-ignored
++    ### Level 1
++    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
++    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
++
++    ## 4.55-ensure-reverse-path-filtering-is-enabled
++    ### Level 1
++    - sysctl_net_ipv4_conf_all_rp_filter
++    - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
++    - sysctl_net_ipv4_conf_default_rp_filter
++    - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
++
++    ## 4.56-ensure-tcp-syn-cookies-is-enabled
++    ### Level 1
++    - sysctl_net_ipv4_tcp_syncookies
++    - sysctl_net_ipv4_tcp_syncookies_value=enabled
++
++    ## 4.57-ensure-ipv6-router-advertisements-are-not-accepted
++    ### Level 1
++    - sysctl_net_ipv6_conf_all_accept_ra
++    - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
++    - sysctl_net_ipv6_conf_default_accept_ra
++    - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
++
++    ## 4.58-ensure-a-firewall-package-is-installed
++    ### Level 1
++    - package_firewalld_installed
++
++    ## 4.59-ensure-firewalld-service-is-enabled-and-running
++    ### Level 1
++    - service_firewalld_enabled
++
++    ## 4.60-ensure-iptables-is-not-enabled
++    ### Level 1
++    # Needs rule
++
++    ## 4.61-ensure-nftables-is-not-enabled
++    ### Level 1
++    # Needs rule
++
++    ## 4.62-ensure-nftables-service-is-enabled
++    ### Level 1
++    # Needs rule
++
++    ## 4.63-ensure-iptables-packages-are-installed
++    ### Level 1
++    - package_iptables_installed
++
++    ## 4.64-ensure-nftables-is-not-installed
++    ### Level 1
++    # Needs rule
++
++    ## 4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked
++    ### Level 1
++    # Needs rule
++
++    ## 4.66-ensure-system-histsize-as-100-or-other
++    ### Level 1
++    # Needs rule
++
++    ## 4.67-ensure-system-histfilesize-100
++    ### Level 1
++    # Needs rule
++
++    ## 5.1-ensure-selinux-is-installed
++    ### Level 1
++    # Needs rule
++
++    ## 5.2-ensure-selinux-policy-is-configured
++    ### Level 3
++    # Needs rule
++
++    ## 5.3-ensure-the-selinux-mode-is-enabled
++    ### Level 3
++    # Needs rule
++
++    ## 5.4-ensure-the-selinux-mode-is-enforcing
++    ### Level 3
++    # Needs rule
++
++    ## 5.5-ensure-no-unconfined-services-exist
++    ### Level 4
++    # Needs rule
++
++    ## 5.6-use-selinux-for-separation-of-powers-user-created
++    ### Level 4
++    # Needs rule
++
++    ## 5.7-use-selinux-for-separation-of-powers-system-administrator-login-permission-configuration
++    ### Level 4
++    # Needs rule
+\ No newline at end of file
+diff --git a/products/anolis8/transforms/constants.xslt b/products/anolis8/transforms/constants.xslt
+new file mode 100644
+index 0000000000..c3323b4a52
+--- /dev/null
++++ b/products/anolis8/transforms/constants.xslt
+@@ -0,0 +1,10 @@
++
++
++
++
++Anolis OS 8
++Anolis 8
++empty
++anolis
++
++
+diff --git a/products/anolis8/transforms/table-style.xslt b/products/anolis8/transforms/table-style.xslt
+new file mode 100644
+index 0000000000..218d0f7542
+--- /dev/null
++++ b/products/anolis8/transforms/table-style.xslt
+@@ -0,0 +1,5 @@
++
++
++
++
++
+diff --git a/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
+new file mode 100644
+index 0000000000..4789419b80
+--- /dev/null
++++ b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt
+@@ -0,0 +1,8 @@
++
++
++
++
++
++
++
++
+diff --git a/products/anolis8/transforms/xccdf2table-cce.xslt b/products/anolis8/transforms/xccdf2table-cce.xslt
+new file mode 100644
+index 0000000000..1ffb22215c
+--- /dev/null
++++ b/products/anolis8/transforms/xccdf2table-cce.xslt
+@@ -0,0 +1,9 @@
++
++
++
++
++
++
++
++
++
+diff --git a/products/anolis8/transforms/xccdf2table-profileccirefs.xslt b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt
+new file mode 100644
+index 0000000000..5a104d956f
+--- /dev/null
++++ b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt
+@@ -0,0 +1,9 @@
++
++
++
++
++
++
++
++
++
+diff --git a/shared/checks/oval/installed_OS_is_anolis8.xml b/shared/checks/oval/installed_OS_is_anolis8.xml
+new file mode 100644
+index 0000000000..c662d8c960
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_anolis8.xml
+@@ -0,0 +1,28 @@
++
++  
++    
++      Anolis OS 8
++      
++        multi_platform_all
++      
++      
++      The operating system installed on the system is Anolis OS 8
++    
++    
++      
++      
++    
++  
++
++  
++    
++    
++  
++  
++    ^8.*$
++  
++  
++    anolis-release
++  
++
++
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index f971d28a04..94967843fa 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -3,6 +3,7 @@
+     
+       Kernel Runtime Parameter IPv6 Check
+       
++	multi_platform_anolis
+ 	multi_platform_debian
+ 	multi_platform_example
+ 	multi_platform_fedora
+diff --git a/ssg/constants.py b/ssg/constants.py
+index d73c6012f3..1c01f6fead 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -41,6 +41,7 @@ SSG_REF_URIS = {
+ product_directories = [
+     'alinux2',
+     'alinux3',
++    'anolis8',
+     'chromium',
+     'debian9', 'debian10', 'debian11',
+     'example',
+@@ -195,6 +196,7 @@ PKG_MANAGER_TO_CONFIG_FILE = {
+ FULL_NAME_TO_PRODUCT_MAPPING = {
+     "Alinux 2": "alinux2",
+     "Alinux 3": "alinux3",
++    "Anolis OS 8": "anolis8",
+     "Chromium": "chromium",
+     "Debian 9": "debian9",
+     "Debian 10": "debian10",
+@@ -266,11 +268,12 @@ REFERENCES = dict(
+ 
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+                        "opensuse", "sle", "ol", "ocp", "rhcos",
+-                       "example", "eks", "alinux", "uos"]
++                       "example", "eks", "alinux", "uos", "anolis"]
+ 
+ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_alinux": ["alinux2"],
+     "multi_platform_alinux": ["alinux3"],
++    "multi_platform_anolis": ["anolis8"],
+     "multi_platform_debian": ["debian9", "debian10", "debian11"],
+     "multi_platform_example": ["example"],
+     "multi_platform_eks": ["eks"],
+@@ -436,6 +439,7 @@ XCCDF_PLATFORM_TO_PACKAGE = {
+ # _version_name_map = {
+ MAKEFILE_ID_TO_PRODUCT_MAP = {
+     'alinux': 'Alibaba Cloud Linux',
++    'anolis': 'Anolis OS',
+     'chromium': 'Google Chromium Browser',
+     'fedora': 'Fedora',
+     'firefox': 'Mozilla Firefox',
+diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
+index 095191dd2d..b55a217ab7 100644
+--- a/tests/unit/ssg-module/test_utils.py
++++ b/tests/unit/ssg-module/test_utils.py
+@@ -12,7 +12,7 @@ def test_is_applicable():
+ 
+     assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
+     assert not ssg.utils.is_applicable('ol7', 'rhel7')
+-    assert not ssg.utils.is_applicable('alinux2,alinux3,fedora,debian9,debian10,debian11,uos20',
++    assert not ssg.utils.is_applicable('alinux2,alinux3,anolis8,fedora,debian9,debian10,debian11,uos20',
+                                        'rhel7')
+ 
+ 
+-- 
+2.31.1
+
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index fd28e68..4bbd5b1 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -36,6 +36,8 @@ Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.p
 Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
 Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
 Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+# supports Anolis OS 8
+Patch1000:        scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -105,6 +107,7 @@ cd build
 -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
 -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
 -DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
+-DSSG_PRODUCT_ANOLIS8:BOOLEAN=TRUE \
 %if %{defined centos}
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
 %else
@@ -165,6 +168,7 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %changelog
 * Mon Jan 30 2023 Chang Gao  - 0.1.63-4.0.1
 - Add extra package
+- Add product for Anolis8 (#9770) (yyq01323329@alibaba-inc.com)
 
 * Wed Aug 17 2022 Watson Sato  - 0.1.63-4
 - Fix check of enable_fips_mode on s390x (RHBZ#2070564)
-- 
Gitee